NETASQ Technical Support Training Session 9
V7 internals
© NETASQ 2007
Agenda • • • • •
Gateway monitoring Socket Layer Daemon ASQ news Seismo Log Collector
NETASQ – CORPORATE PRESENTATION
2
Gateway monitoring 1/5 • Configured from Manager’s Network / Routing panel, Advanced tab. • Configuration stored in ConfigFiles/route. • Two functions: high-availability and loadbalancing. • Based on two gateway pools: main and backup. • Backup gateways used when a specified of main gateways are down (threshold). • Load-balancing by source or by destination.
NETASQ – CORPORATE PRESENTATION
3
Gateway monitoring 2/5 • Two commands: gatemon and hostcheck. • The command hostcheck handles the gateway testing process. • Test the main gateways using ping. • A gateway is considered down after 3 failures. • A failure occurs when no response is received after 10 seconds. • hostcheck return 0 if the state of the gateway hasn’t changed, 1 if it’s now up or 2 if it’s now down. • Gateways are tested every 60 seconds. NETASQ – CORPORATE PRESENTATION
4
Gateway monitoring 3/5 • The upgrade process will automaticaly add the dialup marked as default route to the pool of main gateways (Firewall_dlname_peer objects where dlname is the name of the dialup). • The upgrade process will automaticaly add DHCP default gateway to the pool of main gateways (Firewall_ifname_router objects where ifname is the name of the DHCP interface).
NETASQ – CORPORATE PRESENTATION
5
Gateway monitoring 4/5 • hostcheck is run through eventd. [Gateway_Monitor_for_host_X] Description="Gateway monitor and auto-configuration of host X" State=1 Timeout=0s SaveResult=1 Priority=0 Downtime=0 Start=* Period=60s Exec="hostcheck X 10 3" 1="gatemon X UP" 2="gatemon X DOWN" NETASQ – CORPORATE PRESENTATION
6
Gateway monitoring 5/5 • gatemon brings up/down the routes: gatemon gateway UP gatemon gateway DOWN • The command sfctl –s route show the gateways that are currently in use (up). • netstat –rn always show a valid default gateway.
NETASQ – CORPORATE PRESENTATION
7
Socket Layer Daemon 1/2 • A daemon: sld. • Listen on 443/tcp and 1200/tcp. • Handle connections to: – the authentication module (previously known as authd); – the SSL VPN module (previously known as xvpnd); – and to the web configuration module (previously known as webd).
• Old daemons are now dynamic shared objects loaded at runtime.
NETASQ – CORPORATE PRESENTATION
8
Socket Layer Daemon 2/2 • Enable verbose mode through Verbose and VerboseFile parameters in the [Config] section of ConfigFiles/auth. • Verbose accept the keyword all or a coma separated list of keywords in: start, socket, ssl, http, srp, ldap, authd, xvpn, console. • VerboseFile is the file where logs will be written. Defaults to /tmp/authd.debug. • Toggle verbose mode by running sld –d.
NETASQ – CORPORATE PRESENTATION
9
Incoming and outgoing ASQ profiles • Make a difference between incoming and outgoing streams. • Incoming streams are those coming from a protected interface. • Outgoing streams are those coming from an external interface (i.e., non-protected). • Proxy connections are handled by the outgoing profile: – client-to-proxy connections are coming from a protected network; – and proxy-to-server connections are coming from firewall’s IP address.
See sfctl –s protaddr for further details. NETASQ – CORPORATE PRESENTATION
10
Plugins default ports • Used to attach a plugin when a destination-port-any filtering rule is matched. • Avoid having to precede destination-port-any filtering rules by a port-in-plugins rule. • Default port have priority on the probe mechanism. • Example: If HTTP plugin’s default port is set to 80/tcp, a connection to TCP port 80 that match the pass from any to any port any rule will be handled by the HTTP plugin. NETASQ – CORPORATE PRESENTATION
11
ASQ verbose mode • Still in section [Stateful] of ConfigFiles/ASQ/00. • Still Verbose=1 to enable and enasq to reload ASQ configuration. • Still have to use syslogd to save data in a file. • Level of details through VerboseType that accept the keyword all or a coma separated list of keywords : Host, User, Connection, Plugin, AlarmBlock, AlarmPass, Nat, Filter, AlarmPacket, Bridge, Packet, Conf, Script. • Ignored alarms are in ASQ verbose output. NETASQ – CORPORATE PRESENTATION
12
Seismo • Collecting network information. • Correlating facts. • Reporting deducted vulnerablilities and security concerns.
NETASQ – CORPORATE PRESENTATION
13
Collecting information • Passive scanner concept. • ASQ extracts data from analysed protocols.
Get /index.html HTTP/1.0 Protocol context
User-Agent: Firefox 2.0
Extracted data
NETASQ – CORPORATE PRESENTATION
14
Collecting information • Available probes – Open ports. – HTTP plugin: • User-agent. Web browsers but also applications with « web updates » (e.g., JRE)
• Server banner. Web server but also applications (e.g., PHP)
– SMTP plugin: • Mail User-Agent (MUA).
• Mail servers or clients. – Other plugins: POP3, IMAP, FTP, MySQL, SSH, SSL...
NETASQ – CORPORATE PRESENTATION
15
Collecting information • PoF: passive fingerprinting – – – –
OS detection on SYN packets. Database of known OS (fp.rules). Built-in ASQ. Configuration: setconf ~/ConfigFiles/ASQ/00 Pof State 1
– Verbose mode: cd ~/ConfigFiles/ASQ setconf 00 Stateful Verbose 1 setconf 00 Stateful VerboseType Pof
NETASQ – CORPORATE PRESENTATION
16
Verbose PoF ASQ: wsize:49152 ttl:128 DF:1 psize:48 tcpopt:403 (4) (TS, M1160, W0) quirk: 0 ASQ: 10.1.44.253.32905 > 10.1.44.254.1300:S 78788843:78788843(0) win 49152 (DF) ASQ: OS detected: Microsoft_Windows 2000 SP2+, XP SP1+ (seldom 98)
NETASQ – CORPORATE PRESENTATION
17
Correlating reported facts • SODB – Each node from those trees is Windows XP browser linked to a vulnerabilities contextual database Firefox I.E – Correlating informations
• Facts database – /var/db/pvm file – Ciphered and autosave – HA: Pvmdbsync
2.x
1.x 2.0
NETASQ – CORPORATE PRESENTATION
18
Detecting vulnerabilities • Vulnerabilities database – Updated with Active Update – SODB matching rules • Example: OS windows + firefox application + version «
