Problem: VMware machines load boot loader immediately, no BIOS banner, so can’t get into BIOS to alter boot settings.
Solution: Edit the vm’s .vmx file and add the line:

bios.bootDelay = "5000"

which adds a 5000 millisecond (5 second) delay to the boot, or add:

bios.forceSetupOnce = "TRUE"

to make the VM enter the BIOS setup at the next boot.

Problem: VMware Fusion 3.0 doesn’t give a way to edit the virtual network settings via the GUI.
Solution: To change the subnet used by the NAT or HostOnly networks, go root in Mac OS X and edit

/Library/Application Support/VMware Fusion/networking

and set the following lines to the subnets desired:

answer VNET_1_HOSTONLY_SUBNET 192.168.35.0
answer VNET_8_HOSTONLY_SUBNET 10.10.1.0

To add additional custom isolated host only VLANs, also edit the networking file and add additional VNET definitions. There can apparently only be 8 VLANs with VLAN 1 and 8 already pre-defined.

answer VNET_2_DHCP no
answer VNET_2_HOSTONLY_NETMASK 255.255.255.0
answer VNET_2_HOSTONLY_SUBNET 10.10.21.0
answer VNET_2_VIRTUAL_ADAPTER yes
answer VNET_3_DHCP no
answer VNET_3_HOSTONLY_NETMASK 255.255.255.0
answer VNET_3_HOSTONLY_SUBNET 10.10.22.0
answer VNET_3_VIRTUAL_ADAPTER yes
answer VNET_4_DHCP no
answer VNET_4_HOSTONLY_NETMASK 255.255.255.0
answer VNET_4_HOSTONLY_SUBNET 10.10.23.0
answer VNET_4_VIRTUAL_ADAPTER yes

Now create your vm with as many network interfaces as you have separate VLANs (vnet) then edit the node.vmx vm configuration file and change the interfacename.connectionType to custom, and define the VLAN (vnet) that interface will attach to:

#ethernet0.connectionType = "nat"
ethernet0.connectionType = "custom"
ethernet0.vnet = "vmnet3"

Also realize that VMware will take the .1 host address on each vmnet – so you cannot assign .1 to any of your VMs.

Problem: Ubuntu 9.10 persistent network configuration (stores the MAC address of network adapters), so if you copy a machine, by default Ubuntu will setup a new logical adapter (eth1) since the MAC address has changed (when you answer I Copied It in VMware).
Solution: Tell VMware you copied the machine, so it will chose a unique MAC address. Boot Ubuntu into single user mode (another article on that to follow) then edit the MAC address associated with eth0.

sudo vi /etc/udev/rules.d/70-persistent-net.rules

find the stanza of the network interface in question (NAME=”eth0″) and set the following ATTR tag to the new MAC address:

ATTR{address}=="new-mac-address-here"


Thinking of the challenges associated with creating electronic healthcare records for all healthcare users in Alberta. Typical government projects don’t have the best track record for maintaining proper security architecture, much less implementation. Starting to dig into this for my next paper, and I’m somewhat underwhelmed with what I see. Do we have a choice to opt out? Is there any way to ensure our health records don’t get compromised and exposed publicly? I guess I’ll be searching for some answers.

Recently I found myself in the unhappy position of needing to sift through slightly more than a billion Checkpoint Firewall-1 log lines, looking for specific patterns of access. The problem was that many of the exported fwm log files had differing column positions and there had been many ruleset changes over the course of 11 months worth of log data. Many of the excellent FW1 log summarization tools (such as Peter Sundstrom’s fwlogsum) didn’t handle the hundreds of files and differing column positions.

The final scripted solution was processing over 11,000 lines/second .. and still took over 23 hours for the first run.

Log file exports via fwm logexport can have variable column positioning, except for record ID number “num”, which is *always* column number one.  I see three viable alternatives to the changing column position in the ASCII log files exported via fwm – so we can automate the log processing:

1. Parse the header line (line #1) of every log file and dynamically map (rearrange) the columns to a pre-determined standard in memory before further processing (painful, expensive)
2. Tell Checkpoint fwm to export in a fixed column ordering
   create
   logexport.ini
   and place in
   $FWDIR/conf directory
   eg. fwmgmtsrv:
   C:\WINDOWS\FW1\R65\FW1\conf
   logexport.ini:
   [Fields_Info]
included_fields = num,date,time,orig,origin_id,type,action,alert,i/f_name,
i/f_dir,product,rule,src,dst,proto,service,s_port,xlatesrc,xlatedst,
nat_rulenum,nat_addtnl_rulenum,xlatesport,xlatedport,user,
partner,community,session_id,ipv6_src,ipv6_dst,
srckeyid,dstkeyid,CookieI,CookieR,msgid,elapsed,
bytes,packets,start_time,snid,ua_snid,d_name,id_src,ua_operation,
sso_type_desc,app_name,auth_domain,uname4domain,wa_headers,
result_desc,r_dest,comment,url,redirect_url,enc_desc,e2e_enc_desc,
auth_result,attack,log_sys_message,
rule_uid,rule_name,service_id,resource,reason,cat_server,
dstname,SOAP Method,category,ICMP,message_info,
TCP flags,rpc_prog,Total logs,
Suppressed logs,DCE-RPC Interface UUID,Packet info,
message,ip_id,ip_len,ip_offset,fragments_dropped,during_sec
3. Use OPSEC LEA tools to extract event log records instead of export via fwm logexport

Once the ASCII log files are available for processing, my fw1logsearch.pl script can be used to find complex patterns of interest.  Any matching records found by fw1logsearch will be output with an initial FW1 header line so that fw1logsearch can be used iteratively, to build very complex search criteria.  fw1logsearch can also write out a discard file allowing completely negative logic searches resulting in 100% of the input data separated into a match file and a didn’t match file.  Some examples of how I’ve used it are shown here:

gunzip -c fwlogs/2009*gz | \
fw1logsearch.pl --allinclude \
-S '10\.1\.1[1359]\.|10\.2\.1[01]\.|192\.168\.2[245]\.' \
-d '10\.1\.1[1359]\.|10\.2\.1[01]\.|192\.168\.2[245]\.' \
-p '^1310$|^1411$|^1812$|^455' | \
fw1logsearch.pl -S '192\.168\.22\.14$|10\.2\.11\.12$' |\
fw1logsearch.pl --allexclude \
-S '^192\.168\.24\.12$' -P '^1310$' --rejectfile 192-168-24-12-port-1310.txt

Line by line:
1. Unzip the compressed ASCII log files, feed them to the first instance of fw1logsearch.pl
2. First fw1logsearch – all conditions must be true for any events to match
Source address must NOT be in any of the following regex ranges:
10.1.11.* 10.1.13.* 10.1.15.* 10.1.19.*
10.2.10.* 10.2.11.*
192.168.22.* 192.168.24.* 192.168.25.*
Destination address must be in one of the same following regex ranges.
Service (destination port) must be one of:
Exactly port: 1310, 1411, 1812, or any port starting with 455
No protocol is specified, so it will match either TCP or UDP

fw1logsearch.pl will output any matching events to stdout, including a FW1 log header line, so the next instance of fw1logsearch.pl continues filtering the result set.

3. The second fw1logsearch.pl specifies Source Address must not be any of the following
192.168.22.14

10.2.11.12

4. The last fw1logsearch.pl excludes port 1310 from 192.168.24.12, and puts all those records into a separate reject file, while writing the other records to stdout.

This script has been used to process over 4 billion records within the project I wrote it for – and precisely found all the use of particular business cases I needed to modify.  The result was zero outages and no unintended business interruption.

Basic syntax/help file:

Usage:  fw1logsearch.pl
[-a|--incaction|-A|--excaction <action regex>]
[-p|--incservice|-P|--excservice <dst port regex>]
[-b|--incs_port|-B|--excs_port <src port regex>]
[-s|--incsrc|-S|--excsrc <src regex>]
[-d|--incdst|-D|--excdst <dst regex>]
[-o|--incorig|-O|--excorig <fw regex>]
[-r|--incrule|-R|--excrule <rule-number regex>]
[-t|--incproto|-T|--excproto <proto regex>]

[--dnscache <dns-cache-file>]
[--resolveip]
[--allinclude]
[--allexclude]
[--rejectfile <file>]
[--debug <level>]

fw1logsearch.pl will search a fwm logexport text file for regex patterns specified for supported columns (such as service, src, dst, rule, action, proto and orig).

Include and exclude regex matches may be specified on the same line, although they both will include (print) a line or exclude (reject) a line based on single matches.  Allinclude or Allexclude must be specified to force a match
only on all specified column regex patterns.

Regex patterns can be enclosed with single quotes to include characters that are special to the shell, such as the ‘or’ (|) operator.

Header will be output only if there are any matching lines.

Example invocations:
$ cat 2008-07-07*txt | \
fw1logsearch.pl \
-p ’53|domain’ \
-d ’192.168.1.2|host1|10.10.1.2|host2′ \
-o ’192.168.2.3|10.10.2.4|10.10.4.5′ \
-S ’64.65.66.67|32.33.34.35|10.10.*|192.168.*’ \
–resolveip
Will require destination port (service) to be 53, destination IP to be any of 192.168.1.2, host1, 10.10.1.2, or host2  the reporting firewall (origin) to be any of 192.168.2.3, 10.10.2.4, or 10.10.4.5  and the source IP must not be
any of 64.65.66.67, 32.33.34.35, 10.10.*, or 192.168.*  Any lines that match this criteria, will display and the orig, src, and dst columns will use the default DNS cache file (dynamically built/managed) to perform name resolution, replacing the IP addresses where possible.

Include regex patterns:
-a  –incaction    Rule action (accept, deny)
-b  –incs_port    Source port (s_port)
-p  –incservice   Destination port (service)
-s  –incsrc       Source IP|hostname
-d  –incdst       Destination IP|hostname
-o  –incorig      Reporting FW IP|hostname
-r  –incrule      Rule number that triggered entry
-t  –incproto     Protocol of connection

Exclude regex patterns:
-A  –excaction    Rule action (accept, deny)
-B  –excs_port    Source port (s_port)
-P  –excservice   Destination port (service)
-S  –excsrc       Source IP|hostname
-D  –excdst       Destination IP|hostname
-O  –excorig      Reporting FW IP|hostname
-R  –excrule      Rule number that triggered entry
-T  –excproto     Protocol of connection

Other options:
–debug {level} Turn on debugging
–dnscache      Specify location of DNS cache file to be used with
the Resolve IPs option
–resolveip     Resolve IPs for orig, src, and dst columns AFTER filtering
–rejectfile    Write out all rejected lines to a specified file

Download fw1logsearch.pl

Start of my InfoSec article journal and book list

Not really blog worthy, but I decided to start a journal of interesting information security articles or books that I’ve found to be particularly valuable. Not all of them are publicly available, but where I can, I’ll add some links. Really this is just a list of my dog-eared books in no particular order. (-:

Articles

Security Controls That Work; Information Systems Control Journal; Volume 4, 2007

Information Security Standards Foucs on the Existence of Process, Not Its Content; Communications of the ACM; August 2006, Volume 49, Number 8

FrankenSOA; Network Computing; 06/25/07; Page 41

Books

Chris McNab, Network Security Assessment, Sebastapol, CA: O’Reilly Media, Inc., 2004 – Describes a technical assessment methodology which can be used to understand the “threats, vulnerabilities, and exposures modern public networks face.”

Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt, Upper Saddle River, NJ: Addison-Wesley, 2007 – Information security has been largely justified by fear over the last many years. This book is the single best book I have seen yet which provides a pragmatic guide to using effective metrics in infosec programs and communication with stakeholders. I think that organizations which adopt this type of approach will fare well when infosec spending starts to level off or dry up.

Stephen Northcut, Lenny Zeltser, Scott Winters, Karen Kent & Ronald Ritchey, Inside Network Perimeter Security, Indianapolis, Indiana: Sams Publishing, 2005 – excellent multi-layer book which describes appropriate techniques to layer differing strategies together to provide stronger perimeter defense
.  “Defense in depth is a primary focus of this book, and the concept is quite
simple: Make it harder to attack at chokepoint after chokepoint.”

One can now inexpensively build a fault tolerant firewall cluster that removes any single point of failure in the security policy enforcement points at your security zone boundaries. Synchronous firewall state table updates and an open source version of virtual router redundancy protocol (CARP) gives the ability to seamlessly insert or remove firewalls from a cluster. No more patching firewalls at 2am hoping for the best (or not patching because it’s too hard).

PDF

So setting up my shiny new iPhone 3G for IMAPS email was not entirely straight forward.  (-:  There are two complicating factors that I ran into.  For IMAP over SSL (IMAPS) connections to a mail server that is using a digital certificate that is signed by a well known certificate authority AND running on the default TCP port 993, no problems.  You may have a be a bit patient as the mail app on the iPhone accepts the certificate.  For less standard mail server implementations, read on …

I am using a server certificate that is in essence a self-signed certificate – it is signed by CAcert.org, however very few (if any) browsers and mobile devices trust or even know of CAcert.org.  In this case, you will need to be patient while the iPhone mail app finally rejects the server certificate as untrusted.  The dialogue box will acknowledge the mail server certificate is invalid and will ask if you want to continue.  Accept the continue option and eventually (took about 5 minutes for my iPhone) the iPhone will accept the ‘invalid’ certificate.

Now, if you are using a mail server that has IMAPS running on a non-standard port (anything other than TCP 993), you must first establish the connection and have the iPhone accept the certificate over port 993.  Once the mail account is setup initially, then you can go change the port to something non-standard.

Once I get a chance I’ll post some screen shots.

Add local redirection of low port to unpriv high port

Remove any existing entries:

iptables -t nat -D PREROUTING –src 0/0 -p tcp –dport 25 -j REDIRECT –to-ports 11025 2> /dev/null
iptables -t nat -D PREROUTING –src 0/0 -p tcp –dport 80 -j REDIRECT –to-ports 8080 2> /dev/null

Add new redirects:
iptables -t nat -I PREROUTING –src 0/0 -p tcp –dport 25 -j REDIRECT –to-ports 11025
iptables -t nat -I PREROUTING –src 0/0 -p tcp –dport 80 -j REDIRECT –to-ports 8080

Running day-to-day with a Windows account that has Administrator privileges is a recipe for disaster.  Casual browsing of a website that is infected or inadvertent opening of infected attachments can result in an infection through the user’s Administrator privileges.  Something like 92% of Microsoft critical vulnerabilities announced in 2008 could have been mitigated by operating day-to-day as a normal user.  Splitting your accounts into a normal account and admin account is a good idea, but it can lead to some headaches when the normal user needs to run temporarily as Administrator.

Fortunately there are some work arounds that can be used to temporarily elevate the user’s privileges to Administrator.  Most of these involve the RUNAS command:

File explorer
If you’re running IE7 under WinXP, in order to run Windows Explorer with the runas command, it must be run as a separate process. A quick way to do this, without having to change your Folder Options settings, would be to run an instance of Explorer with the undocumented parameter /separate, like this:

runas /user:domain\username "explorer /separate"

Command Line Prompt
You can add a shortcut on the task bar with the following syntax to get an Administrator cmd prompt:

%windir%\system32\runas.exe /user:yourdomain\a-someuser cmd

yourdomain is the name of your AD domain if you have one, if not, leave it out.  a-someuser is a suggested naming convention for the Administrator account associated with the user named someuser.