RE: insecurity in internet connection thro cable modems

[Bruce Platt <Bruce () ei3 com>]

A list member pointed out that I made en error in my original post.

When removing the private key, the following is what should be used:

# openssl rsa -in key.pem -out ca-private.key 

Regards

> -----Original Message-----
> From: Bruce Platt [mailto:Bruce () ei3 com]
> Sent: Sunday, February 16, 2003 8:39 PM
> To: 'Noonan, Wesley'; 'Dave Mitchell'
> Cc: 'Brian Ford'; firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] insecurity in internet connection thro cable
> modems
>
>
> It's not hard to generate a free SSL cert for a Netscreen if 
> you have access
> to OPENSSL on a nice unix box.
>
> Here's quick step by step for use in securing a management interface:
>
> - Create a self-signed root certificate using openssl as follows:
>
> #openssl req -x509 -newkey rsa:1024 -keyout key.pem -out 
> ca-public.pem 
>
> remove the private key from it as follows:
>
> #openssl req -x509 -newkey rsa:1024 -keyout key.pem -out 
> ca-public.pem 
>
> - Create a local certificate request on the netscreen you 
> want to manage.
> Fill in the ip address field with the internet ip of the 
> device.  This set's
> one of the Cn fields in the cert to the IP of the interface.
>
> - Save it somewhere with an appropriate name like 
> untrust-interface-ip.pem.
>
> - Sign the certificate with the local root CA created there 
> with a command
> like:
>
> #openssl x509 -req -in untrust-interface-ip.pem -CA 
> ca-public.pem -CAkey
> ca-private.key \
>  -CAcreateserial -out untrust-interface-ip.crt -days 730
>
> -  This is now a valid certficate for the netscreen which can 
> be loaded from
> the certicicates tab.  
>
> -  The next step which is to load the self-signed root CA ito 
> the netscreen
> by using the laod button on the CA tab.  Do this by remaming the
> ca-public.pem to a place where your browser can open as a 
> file and rename
> the file ca-public.cer.  Then load it into the netscreen from the
> Certificates, CA tab.
>
> Once you have loaded it you should reboot your netscreen.  
> Then go to the
> Administration tab and enable the certificate for web 
> management, and enable
> SSL for the interface you want to manage, by choosing the 
> local certificate
> you loaded earlier.  Also choose the ciper method you want to use 
>
> Then go to the interfaces tab and enable SSL on that interface.
>
> At this point you can log into the netscreen via https, however, your
> browser is likely to "barf" due to the certificate coming 
> from an untrusted
> root certifying authority.  You can fix this in the next step.
>
> -  Finally, open the capublic.cer file in your browser and 
> open it.  For
> Internet Explorer, the certificate import wizard starts on 
> your PC and you
> should import this certificate into the "Trusted Root Certification
> Authorities" store.  From now on, your browser will accept 
> the certificate
> created in above and loaded as a valid certifcate from a 
> trusted authority.
>
> - Go to the interfacees tab, and disable the Web UI.  You can 
> still manage
> the NS from the web via SSL, bot not via normal port 80 http.
>
> Simlar sets of commands will give you certs to use to 
> negotiate the VPN.  
>
> Just fine for use on a private network where no one needs to see the
> validity of the CA.
>
> Regards,
>
> -----Original Message-----
> From: Noonan, Wesley [mailto:Wesley_Noonan () bmc com]
> Sent: Sunday, February 16, 2003 6:44 PM
> To: 'Dave Mitchell'
> Cc: 'Brian Ford'; firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] insecurity in internet connection thro cable
> modems
>
>
> Freely admiting that I am not a netscreen expert (and thus, I 
> could have
> missed something in the config or docs), I found that I was 
> unable to get it
> to function and create keys without needing a certificate, 
> which is a hassle
> for small shops that want a VPN and don't want to pay for a 
> certificate that
> only has local significance. I also found their documentation 
> to be lacking.
> This was true for setting up SSH connections to manage the 
> device as well. 
>
> With the PIX I can generate my own keys in 10 seconds with a 
> single command
> and I am off and running. 10-11 commands later, the VPN is up.
>
> Like I said, I just kind of feel like netscreen is about 
> where the PIX was 2
> years ago. I happen to like the CLI of the PIX as well, but 
> that probably
> has more to do with my router background than anything else. 
> Beside, CLI
> preference is such a highly subjective situation anyway.
>
> HTH
>
> Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> Senior QA Rep.
> BMC Software, Inc.
> (713) 918-2412
> wnoonan () bmc com
> http://www.bmc.com
>
>
> > -----Original Message-----
> > From: Dave Mitchell [mailto:dmitchell () viawest net]
> > Sent: Sunday, February 16, 2003 11:39
> > To: Noonan, Wesley
> > Cc: 'Brian Ford'; firewall-wizards () honor icsalabs com
> > Subject: Re: [fw-wiz] insecurity in internet connection 
> thro cable modems
> > Wes,
> >   GlobalPro makes it easier to maintain a fleet of Netscreens. I'm
> > confused
> > as to why you feel their VPN support is lacking? I've been able to
> > interoperate
> > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k,
> > FreeSWAN;
> > just to name some. Support for preshared keys, x509 certs, 
> ldap auth, and
> > securid
> > auth make me feel that Netscreen's IPSec has quite a few 
> features, not to
> > mention
> > higher throughput due to their ASIC's.
> >
> > -dave
> >
> >
> > On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
> > > Having used both, I strongly prefer a PIX. It is much 
> easier to maintain
> > a
> > > bunch of PIXen than it is to maintain a bunch of 
> netscreens. It's not
> > that
> > > the netscreens are bad, it is just that the TCO is too 
> high to try to
> > > maintain a "fleet" of them. In addition, I find their 
> (netscreen) VPN
> > > support to be... well... lacking. It is a very convoluted 
> process, much
> > like
> > > the PIX was 2 years ago.
> > >
> > > HTH
> > >
> > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> > > Senior QA Rep.
> > > BMC Software, Inc.
> > > (713) 918-2412
> > > wnoonan () bmc com
> > > http://www.bmc.com
> > >
> > >
> > > > -----Original Message-----
> > > > From: Brian Ford [mailto:brford () cisco com]
> > > > Sent: Saturday, February 15, 2003 12:56
> > > > To: firewall-wizards () honor icsalabs com
> > > > Cc: Dave Mitchell
> > > > Subject: Re: [fw-wiz] insecurity in internet connection 
> thro cable
> > modems
> > > > Dave,
> > > >
> > > > > More than
> > > > > likely, natting a home network behind a linksys soho 
> router would be
> > > > > sufficient.
> > > >
> > > > Yet another security policy that begins with "more than 
> likely".  What
> > > > happens in the "likely" case when someone figures out 
> where you are
> > and
> > > > wants to get at your stuff?
> > > >
> > > > > Putting in PIX 501's at someones home would be insane. 
> If you have to
> > > > > administer
> > > > > it, a small Netscreen is much easier than dealing with PIX.
> > > >
> > > > Gee Dave.  Why would it be insane to use a PIX?
> > > >
> > > > To set up a PIX at home all you need is the PIX.  You 
> don't need a PC
> > and
> > > > the setup disk that NetScreen ships.
> > > >
> > > > The 501 ships with a default "plug and play" 
> configuration that for
> > many
> > > > installs (including folks sitting behind a cable modem) 
> requires no
> > > > modification to get up and running.
> > > >
> > > > The PIX also supports Cisco AUS (Auto Update Server) so 
> that security
> > > > policy, operating system image, and configuration updates can be
> > securely
> > > > downloaded to the PIX from a central site without end user
> > intervention.
> > > > You said "a small Netscreen is much easier than dealing 
> with PIX".
> > Have
> > > > you really tried both products?  Could it be that you 
> just don't like
> > > > PIX?  Or that you just don't know about the PIX?
> > > >
> > > > Liberty for All,
> > > >
> > > > Brian
> > > >
> > > > At 12:00 PM 2/15/2003 -0500, firewall-wizards-
> > request () honor icsalabs com
> > > > wrote:
> > > > > Message: 5
> > > > > Date: Fri, 14 Feb 2003 14:03:11 -0700
> > > > > From: Dave Mitchell <dmitchell () viawest net>
> > > > > To: "Perrymon, Josh L." <PerrymonJ () bek com>
> > > > > Cc: "'Chapman, Justin T'" <JtChapma () bhi-erc com>,
> > > > >         "'firewall-wizards () honor icsalabs com '"
> > > > > <firewall-wizards () honor icsalabs com>
> > > > > Subject: Re: [fw-wiz] insecurity in internet 
> connection thro cable
> > modems
> > > > > For normal users I'd recommend some sort of appliance filter or
> > firewall.
> > > > > More than
> > > > > likely, natting a home network behind a linksys soho 
> router would be
> > > > > sufficient. If you
> > > > > want to do VPNing and what not, I think a Netscreen 5 
> would be the
> > best
> > > > > for the home
> > > > > firewall. Putting in PIX 501's at someones home would 
> be insane. If
> > you
> > > > > have to administer
> > > > > it, a small Netscreen is much easier than dealing with PIX.
> > > > >
> > > > > -dave
> > > > >
> > > > > On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, 
> Josh L. wrote:
> > > > > > Yeah...  I ( Security Professional ) would 
> implement IPChains or a
> > PIX
> > > > @
> > > > > > home...
> > > > > > But don't you think Linux is completely out of the 
> question for a
> > > > regular
> > > > > > end user?????
> > > > > >
> > > > > > I'm looking for an application based firewall for 
> my VPN users..
> > > > > > So far ZONE ALARM is my choice..  I just wished I 
> could integrate
> > it
> > > > with
> > > > > > the PIX VPN client like the concentrator can.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Any Ideas??
> > > > > > -JP
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Chapman, Justin T [mailto:JtChapma () bhi-erc com]
> > > > > > Sent: Friday, February 07, 2003 11:29 AM
> > > > > > To: 'firewall-wizards () honor icsalabs com '
> > > > > > Subject: RE: [fw-wiz] insecurity in internet 
> connection thro cable
> > > > > > modems
> > > > > >
> > > > > >
> > > > > > > ipchains is old ( for the previous Linux Kernel 
> 2.2 ), iptables
> > > > > > > http://www.iptables.org would be a better choice.
> > > > > >
> > > > > > Agreed.  If it's an option at all, choose iptables 
> over ipchains.
> > > > It's
> > > > > more
> > > > > > flexable and it's a stateful packet filter, which 
> makes for a
> > > > "smarter"
> > > > > > firewall.  IPtables (and ipchains for that matter) 
> can be a bit
> > > > > intimidating
> > > > > > to work with, especially if you're new to the 
> syntax.  If you're
> > going
> > > > to
> > > > > > "rolll your own" firewall, I would suggest searching
> > > > Google/Freshmeat.net
> > > > > > for "iptables generator".  There are plenty of scripts/web
> > > > frontends/guis
> > > > > > that make creating simple "consumer-grade" 
> firewalls a snap.  One
> > that
> > > > I
> > > > > > particularly like is a cgi-based one at:
> > > > > >
> > > > > > http://morizot.net/firewall/gen/
> > > > > >
> > > > > > Good luck!
> > > > > >
> > > > > > --justin
> > > >
> > > >
> > > > Brian Ford
> > > > Consulting Engineer
> > > > Corporate Consulting Engineering, Office of the Chief Technology
> > Officer
> > > > Cisco Systems, Inc.
> > > > http://www.cisco.com
> > > > e-mail: brford () cisco com
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards () honor icsalabs com
> > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () honor icsalabs com
> > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards