Sunday, August 9, 2015

Application layer inspection firewall

Routers are equipment layer 3 OSI model, currently routers are able of operate on higher layers of OSI model, such as layer 7 (Application Layer).
Among the new characteristics, vendors have introduced security features, such as application inspection.
The improvements allow us to have more control on the communication process, breaking the established HTTP = TCP 80, VNC = TCP 5900, Microsoft Terminal Server = TCP 3389...

I would like to demonstrate application inspection of two networks vendors: Cisco Systems and Kerio Technologies.
Cisco Systems introduced Zone Based Firewall on 2006, Kerio Technologies introduced Content Filter on 2013.

Below two environment labs.

Scenario:
A network admin did a typical configuration, using L3/L4 extended ACL allowing only TCP traffic with destination port = TCP 80 from network A to network B, next the network admin discovered a security risk, some users changed the Microsoft Terminal Server TCP service port for from default TCP 3389 to TCP 80, this is the reason to carry out a new security level through application inspectors.

Elements of this laboratory (Cisco Systems Zone Based Firewall):
- Host computer capable to virtualize
- GNS3
- - 01 router running Cisco IOS K9 (c2691-adventerprisek9-mz.124-15.T14)
- Oracle VirtualBox
- - 03 guests

Router configured with L2/L3 extended ACL:





Router configured as Application layer Firewall:





Elements of this laboratory (Kerio Control - Version 8.6.0 3693P1):
- Host computer capable to virtualize
- Oracle VirtualBox
- - Guests

Application inspection on Kerio Control is supported on differentes zones only (Trusted Vs Internet), application inspection is not able through internal routing right now.








Below two screenshots to give us a visual idea how an application inspector determine the type of traffic.





Conclusion:
Application inspection is not an easy job, often the results are unexpected, it requires strong knowledge about networking and software running on the network, but it necessary to guarantee security.

Monday, May 11, 2015

Site to Site VPN NAT Traversal (simple Lab, Cisco Systems alternative)





Based on the two first post


Problem:
Often we establish VPN site to site on the internet using public IPs as the tunnel source and destination, but if one of the nodes do not have public IP from the ISP?
In these cases we can use tools SSL VPN like Teamviewer, Logmein or other, but if one side we have equipment such as PLC, CCTV systems or other we must seek alternatives, for example the question below.


Elements of this laboratory:
- Host computer capable to virtualize.
- GNS3
- - 04 routers running Cisco IOS K9 (c2691-adventerprisek9-mz.124-15.T14)
- Oracle VirtualBox
- - 02 guests


Below the configuration of each router:


main_branch router config




internet router config




front_nat_network router config




remote_branch router config

Friday, March 13, 2015

VPN SITE TO SITE ON INTERNET BEHIND NATED NETWORK (Mikrotik - alternative)





Based on the first post


Problem:
Often we establish VPN site to site on the internet using public IPs as the tunnel source and destination, but if one of the nodes do not have public IP from the ISP?
In these cases we can use tools SSL VPN like Teamviewer, Logmein or other, but if one side we have equipment such as PLC, CCTV systems or other we must seek alternatives, for example the question below.


Scenario:
One network located behind another nated network initiates a VPN client that will establish a secure tunnel enabling bidirectional IP traffic between the sites.


Elements of this laboratory:
- Host computer capable to virtualize.
- Oracle VirtualBox
- - 04 routers running Mikrotik RouterOS (version 6.27)
- Oracle VirtualBox
- - 03 guests


Below the configuration of each router:


main_branch router config




internet router config




front_nat_network router config




remote_branch router config




remote users config (routing table, avoid default route)




Graphical about secure protocol Vs non secure

Sunday, March 8, 2015

VPN SITE TO SITE ON INTERNET BEHIND NATED NETWORK (Cisco Systems - alternative)





Problem:
Often we establish VPN site to site on the internet using public IPs as the tunnel source and destination, but if one of the nodes do not have public IP from the ISP?
In these cases we can use tools SSL VPN like Teamviewer, Logmein or other, but if one side we have equipment such as PLC, CCTV systems or other we must seek alternatives, for example the question below.


Scenario:
One network located behind another nated network initiates a VPN client that will establish a secure tunnel enabling bidirectional IP traffic between the sites.


Elements of this laboratory:
- Host computer capable to virtualize.
- GNS3
- - 04 routers running Cisco IOS K9 (c2691-adventerprisek9-mz.124-15.T14)
- Oracle VirtualBox
- - 03 guests


Below the configuration of each router:


main_branch router config




internet router config




front_nat_network router config




remote_branch router config




remote users config