pskl.us

Code

Integrate your SafeConnect NAC with a Palo Alto Firewall

by on Jun.29, 2012, under Code, Tutorials

The following script allows you to export Username:IP Address pairings from your SafeConnect NAC appliance into your Palo Alto firewall.  This allows for super-fast identification of misbehaving clients and infected machines on your network.

Requirements:

  • A Palo Alto firewall and a SafeConnect NAC box (obviously)
  • MySQL database, configured to receive logging from your SafeConnect Appliance (SafeConnect support can help with the log export configuration on your appliance)
  • A Linux box to run this script.   I suggest using the same box as your MySQL DB, but that’s up to you.
  • Two windows servers.  If you’re an AD shop, just install these on any member server.

Setup:

1) Install the Palo Alto UserID Agent (download from the Palo Alto support site) on two member servers in your domain.  The account you provide to the agent needs permission to read the event logs on the Domain Controllers.  It must also have local administrator access to the box where it is installed.

2) Configure the Palo Alto UserID agent to accept incoming XML connections (Setup -> Edit -> Agent Service)

3) Configure the Access Control List of the PA User-ID Agent program to permit connections from your Linux box and your Palo Alto Firewalls. (Setup -> Access Control List -> Add).  Be sure to permit ports 5006/TCP and 5007/TCP through any applicable firewalls as well.

4) Configure your Palo Alto firewalls to communicate with the UserID Agents.  (From the WebUI, Device -> User Identification -> User-ID Agents).  The port number is 5007.

5) Install MySQL on your Linux box, and configure the SafeConnect appliance for MySQL export to your server.  (The MySQL setup is beyond the scope of this document).  SafeConnect support can assist you with the appliance-side configuration.  Create a MySQL user with permission to read the “clienthist” table from the Linux box where you’ll be running the script.

6) Install the PAN::API Perl Module on your Linux box.  On RHEL, you can drop it into /usr/lib/perl5/site_perl.  The module is available for download from https://live.paloaltonetworks.com/docs/DOC-1662

7) Copy the pa-uid-safeconnect.pl script to your Linux box:

#!/usr/bin/perl
#
# pa-uid-aruba.pl
# Revsion 0.2
#
# Collects username:IP pairings from your Impulse Point SafeConnect NAC box and and loads the data
# into the Palo Alto Firewall’s UserID agents.  The Palo Alto UserID agent runs on a Windows server;  you’ll
# need two UserID agent boxes to use this script as-written.
#
# Requires the PAN:API and DBI PERL modules.   You’ll also need to setup MySQL log export from your appliance
# to a MySQL database which is maintained on a separate server.  Ask your SafeConnect support rep for
# assistance in setting up the “BackupDB” export.
#
# This script was written for, and tested under, Red Hat Linux.
#
# NOTE:  The PAN::API module does not have proper error handling, and will die if an attempt is made to
# connect to a Palo Alto UserID agent box that is not responding.
#
# eric@pskl.us 06.27.12
#
#
# Configuration Section #################################

# Your Palo Alto User-ID Agent boxes:

$server1=”pa-uid-agent-1.pskl.us”;
$server2=”pa-uid-agent-2.pskl.us”;

# Your BackupDB MySQL host and user; the specified user needs read access to the “clienthist” table.

$mysql_server=”mysqlbox-14.pskl.us”;
$mysql_username=”MySQL_username”;
$mysql_password=”MySQL_password”;

# How often do you require users to re-authenticate to SafeConnect, in days?
$safeconnect_reauth_time=7;

# Maximum number of submissions to the PA UID Agent per session (100 seems to work well).
$XMLSize=100;

# Enable debugging (yes/no).  Generates a lot of output, use with caution.

$debug=”yes”;

#### End of Configuration Section ####

use DBI();
use PAN::API;

# Create PAN::API Objects

$pa_uid_agent_1=PAN::API::UID->new($server1);
$pa_uid_agent_2=PAN::API::UID->new($server2);

# Connection to your SafeConnect BackupDB instance

my $dbobject = DBI->connect(“DBI:mysql:database=backupDB;host=$mysql_server”,
$mysql_username, $mysql_password, {‘RaiseError’ => 1});

# MySQL query string.  Pulls the last $safeconnect_reauth_time days of data.

$query=<<EOF;
SELECT transDate,currentIpAddress,principal from clienthist where
DATE_SUB(CURDATE(), INTERVAL $safeconnect_reauth_time DAY) <= transDate order by transDate asc;
EOF

my $queryobject = $dbobject->prepare($query);

$queryobject->execute();

while (@row = $queryobject->fetchrow_array()) {

# Only process those entries with a username present..

if ( $row[2] ) {
($username, $groups)=split(“,”, $row[2]);
$ipdb{$row[1]}=$username;
if ( $debug eq “yes” ) {
print “Found pairing:  $row[0] $row[1] –> $username \n”;
};
};
};

# Close the connection to the BackupDB

$queryobject->finish();

$dbobject->disconnect();

# Process collected data

foreach $ip ( keys %ipdb ) {

if ( $ipdb{$ip} eq “null” ) {

# ignore “null” entries – indicates user has policy key installed but has
# not logged in through the web interface

} else {

if ( $debug eq “yes” ) {
print “Processing $ip –> $ipdb{$ip}\n”;
};

# Create the XML entries for this IP:Username pair
$pa_uid_agent_1->add(‘login’,$ipdb{$ip},$ip);
$pa_uid_agent_2->add(‘login’,$ipdb{$ip},$ip);
$count++;

if ( $count eq $XMLSize ) {
# Submit data to the agent in batches of $XMLSize
$count=0;

if ( $debug eq “yes” ) {
print “>> Submitting batch to $server1\n”;
};

$pa_uid_agent_1->submit();

if ( $debug eq “yes” ) {
print “>> Submitting batch to $server2\n”;
};

$pa_uid_agent_2->submit();

};
};
};

# Submit any remaining entries

if ( $debug eq “yes” ) {
print “>> Submitting final batch to $server1\n”;
};

$pa_uid_agent_1->submit();

if ( $debug eq “yes” ) {
print “>> Submitting final batch to $server2\n”;
};

$pa_uid_agent_2->submit();

# Done

8) Run the script.  If everything is configured properly, you’ll see username:IP pairings being retrieved from your database and transmitted to the Palo Alto UserID agent boxes:

Found pairing:  2012-06-29 09:18:24 18.42.124.194 –> jdoe01
Found pairing:  2012-06-29 09:18:26 18.42.124.194 –> jdoe01
Found pairing:  2012-06-29 09:19:18 18.42.97.119 –> jdoe02
Found pairing:  2012-06-29 09:19:19 18.42.97.119 –> jdoe02
Found pairing:  2012-06-29 09:19:24 18.42.97.119 –> jdoe07
Found pairing:  2012-06-29 09:20:09 18.42.124.239 –> jdoe02
Found pairing:  2012-06-29 09:20:10 18.42.124.239 –> jdoe07
Found pairing:  2012-06-29 09:20:19 18.42.201.219 –> jdoe31
>> Submitting batch to pa-uid-agent-1.pskl.us
>> Submitting batch to pa-uid-agent-2.pskl.us

9) Check the Palo Alto UserID agent’s GUI.  Under the “Monitoring” tab, you’ll see the new entries appear.

10) Configure your Linux box to run the pa-uid-safeconnect.pl script periodically.  Once every four hours seems about right for an environment where users must re-authenticate once every seven days.  Adjust accordingly.

11) WIN!  Your Palo Alto firewall will now tag any applicable log entries with the corresponding username.

I hope this has been helpful.  Please leave any questions or comments in the forum below.

 

2 Comments more...

Integrate your Aruba Wireless User Data with your Palo Alto Firewall

by on Jun.27, 2012, under Code, Tutorials

The following script allows you to export Username:IP Address pairings from your Aruba Wireless Controller into your Palo Alto firewall.  This allows for super-fast identification of misbehaving clients and infected machines on your network.

Requirements:

  • A Palo Alto firewall and an Aruba Wireless controller (obviously)
  • A Linux box to run this script.
  • Two windows servers.  If you’re an AD shop, just install these on any member server.

Setup:

1) Install the Palo Alto UserID Agent (download from the Palo Alto support site) on two member servers in your domain. The account you provide to the agent needs permission to read the event logs on the Domain Controllers. It must also have local administrator access to the box where it is installed.

2) Configure the Palo Alto UserID agent to accept incoming XML connections (Setup -> Edit -> Agent Service)

3) Configure the Access Control List of the PA User-ID Agent program to permit connections from your Linux box and your Palo Alto Firewalls. (Setup -> Access Control List -> Add). Be sure to permit ports 5006/TCP and 5007/TCP through any applicable firewalls as well.

4) Configure your Palo Alto firewalls to communicate with the UserID Agents. (From the WebUI, Device -> User Identification -> User-ID Agents). The port number is 5007.


5) Install the PAN::API Perl Module on your Linux box. On RHEL, you can drop it into /usr/lib/perl5/site_perl. The module is available for download from https://live.paloaltonetworks.com/docs/DOC-1662

6)  Copy the pa-uid-aruba.pl script to your Linux box:

#!/usr/bin/perl
#
# pa-uid-aruba.pl
# Rev 0.1
#
# Rev 0.2 – 7/2/12 – Removed double-backslash from posted usernames
#
# Collects username:IP pairings from your Aruba wireless controller(s) and loads the data
# into the Palo Alto Firewall’s UserID agents.
#
# Requires the PAN:API PERL module and the snmpwalk binaries.
#
# NOTE:  The PAN::API module does not have proper error handling, and will die if an attempt is made to
# connect to a Palo Alto UserID agent box that is not responding.
#
# This script uses plain-text SNMP to extract data from your Aruba controller.  Be sure to
# use a secure, dedicated link between your management box and your controllers for this application.
#
# eric@pskl.us 06.27.12
#
#
# Configuration Section #################################

# Aruba boxes
@ArubaControllers=(“aruba-master”, “aruba-local”);

# Credentials
$ArubaCommunity=”indiapaleale”;

# Palo Alto Agents.

$PA_UID_Agent_1=”auth-1.bucknell.edu”;
$PA_UID_Agent_2=”auth-2.bucknell.edu”;

# Maximum number of submissions per session (100 seems to work well).
$XMLSize=100;

# Uncomment this line if you want debugging output.
$debug=yes;

# End of Configuration Section ###########################

use PAN::API;

foreach $switch ( @ArubaControllers ) {

@ArubaUsers=`/usr/bin/snmpwalk -v 2c -c $ArubaCommunity $switch 1.3.6.1.4.1.14823.2.2.1.4.1.2.1.3`;

foreach $line ( @ArubaUsers ) {

if ( $line=~/\.(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) = STRING: “(.+)”/ ) {
$users{$1}=$2;
if ( $debug ) { print “From Aruba controller $switch:  $1 >> $2\n” };
$ArubaCount++;
};
};

};

if ( $debug ) { print “Found $ArubaCount IP:Username pairings.\n” };

$auth1=PAN::API::UID->new($PA_UID_Agent_1);
$auth2=PAN::API::UID->new($PA_UID_Agent_2);

foreach $ip ( keys %users ) {

$users{$ip}=~s/\\\\/\\/g;
$auth1->add(‘login’,”$users{$ip}”,”$ip”);
$auth2->add(‘login’,”$users{$ip}”,”$ip”);

$count++;

if ( $count eq $XMLSize ) {
$count=0;

if ( $debug ) {
print “Submitting $XMLSize entries to the PA-UID Agent boxes\n”; };

$auth1->submit();
$auth2->submit();
};

};

if ( $debug ) {
print “Submitting the balance of the entries to the PA-UID Agent boxes\n”; };

$auth1->submit();
$auth2->submit();

# Fin

8) Run the script.  If everything is configured properly, you’ll see username:IP pairings being retrieved from your database and transmitted to the Palo Alto UserID agent boxes:

From Aruba controller aruba1:  10.6.123.212 >> archer
From Aruba controller aruba1:  10.6.101.12 >> lana

From Aruba controller aruba1:  10.6.122.47 >> carol
From Aruba controller aruba1:  10.6.122.47 >> cheryl
From Aruba controller aruba1:  10.6.122.61 >> cyril
From Aruba controller aruba1:  10.6.116.131 >> seamus
Found 548 IP:Username pairings.
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting the balance of the entries to the PA-UID Agent boxes

9) Check the Palo Alto UserID agent’s GUI.  Under the “Monitoring” tab, you’ll see the new entries appear.

10) Configure your Linux box to run the pa-uid-aruba.pl script periodically.  Once every 30-60 minutes works well.

11) WIN!  Your Palo Alto firewall will now tag any applicable log entries with the corresponding username.

I hope this has been helpful.  Please leave any questions or comments in the forum below.

5 Comments more...

Web Front-End for BotHunter

by on Dec.22, 2008, under Code

If you’re not using BotHunter alongside your current IDS systems, you should be.  BotHunter is a Snort derivative with a particular focus:  to identify botnet-infected systems on your network.  I’m currently using it at Bucknell University with great success.   The only downside that I have discovered is that the only GUI to BotHunter is X11.

I wanted to make the live BotHunter data available to our helpdesk staff, so I wrote a small Perl front-end to parse the current BotHunter output and create a simple Web GUI.  The main page lists all of the infected machined, ordered by the number of IDS hits:

The full logfile for a particular infected machine is available by clicking on the machine’s IP address from the index page:

System Requirements:  The script is written in Perl and has only been tested on RHEL5.  You’ll need the Net::DNS module from CPAN and the standard POSIX time libraries, which should already be on your system.

Download:  bothunter_report.pl

Usage:  Download bothunter_report.pl and place it in a convenient location on your system.   Create a web-accessible directory and configure bothunter_report.pl to point to it.  If you’re installed BotHunter to a non-standard location, be sure to modify the $LOGFILE variable to point to the proper directory.

You can now run bothunter_report.pl and view the output using your browser.  On my systems, bothunter_report.pl is configured to run every five minutes out of cron.

Since BotHunter does not rotate its own log files, you may wish to periodically restart BotHunter so that the reports do not become infinitely large and therefore useless.  An easy way to do this is with a crontab entry:

0 12 * * * /etc/rc.d/init.d/zzzBotHunter_cta-bh restart

This restarts BotHunter, thus producing a new log file, every day at noon.

Thanks so much to everyone over at BotHunter.net for a wonderful product.  I owe you a beer.

~Eric

6 Comments more...

Decrypt those LWAPP Payloads

by on Nov.30, 2008, under Code

In our Defcon talk, “Medical Identity Theft” I touched on an issue that surprised a fair number of people.

In Cisco’s centralized wireless networking model, communications between the access point and the central controller is accomplished using the LWAPP (Light Weight Access Point Protocol) Protocol.  LWAPP has the ability to use very strong encryption – but only for the control traffic.  As it turns out, the payloads are completely unencrypted and simply concatenated inside of the LWAPP packet following the encrypted control traffic.  Since the packets are in a non-standard format, however, typical packet analysis tools are not able to extract the client traffic.

Curious to find out more, I wrote a short bit of Perl to convert captured LWAPP packets into normal .pcap files.

LWAPPDecoder.pl

[ejsmith@linuxbox dc2008]$ ./lwappdecoder.pl lwapp-voice-call.pcap
467 packets exported from lwapp-voice-call.pcap to lwapp-voice-call-unlwapped.pcap

The attack I discussed at Defcon is as follows:  An attacker plugs into the uplink of a physically insecure LWAPP access point, and begins to collect LWAPP data.  Looking at these pcaps in Wireshark does not reveal too much:

Running this file through the decoder, however, reveals a captured VoIP call:

So what?  Imagine a highly secure 802.1x implementation that is being used to secure access to a legacy system running an unencrypted protocol such as telnet or FTP.  If the wireless security is well implemented, the chances of it being broken by an attacker are low.  A physically insecure access point provides a convenient means of exchanging this strong encryption for mere encapsulation.

Remember, physical security is even more important than logical security: If you can touch it, you can pwn it.

Here’s the script if you’d like to try it out.  lwappdecoder.pl.gz

~Eric

3 Comments more...

IPv4 Checksum Routine in Perl

by on Feb.09, 2008, under Code

Here’s a subroutine that I wrote a few years ago to calculate IPv4 checksums.

sub ipchecksum {
# Calculate the Internet Protocol checksum of the given hex string
# pskl.us January 2006

my $sum=0;
my $i=0;
my $word;

for ($i=0; $i<length($_[0]); $i=$i+4) {
$word=substr($_[0],$i,4);
if ( length($word) eq 2 ) { $word=$word.’00’; };
$sum=$sum + hex $word;
}

return sprintf(“%04X”, 65535 – (( hex substr(sprintf(“%X”, $sum), -4,4) ) +
( hex substr(sprintf(“%X”, $sum), -8,4) )) );

};

3 Comments more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!