AD Authentication

AD Authentication with Firewall

How does AD Authentication with Firewall

One of our end customers wanted an AD Authentication to be done between its Head Office and Branch Office.

They had Sophos Firewall installed and wanted a secure connection in the entire network.

In this blog, we demonstrate how you can add an authentication server on Sophos Firewall and how to import AD groups. 

Here’s an overview of our process-

  • Refer to IP address as per the diagram
  • After Basic parameters configuration into the firewall, we need to create IPSEC tunnel between Head Office and Branch Office.
  • First, we need to create IPsec Tunnel between Head Office and BR_Office 1 & BR_Office 2.
  • Configure the Authentication server on all Firewall and
  • Install STAS into the Head Office AD server

IPsec Tunnel Configuration

Head Office Firewall Configuration

Step 1:

Host Creation

In your Sophos Panel, go to System >> Host and Services >> IP Host

In our case, as shown below we have created hosts for each the Head Office and the 2 branch offices.

Step 2:

Add IPSEC connection:

Configuration >> site-to-site VPN >> IPse

Step 3: Configure AD Server in firewall:

Under Configure, go to “Authentication” > Servers > Add

Select Server Type as “Active Directory”.

In the Connection Security option, make sure you either select SSL/TLS or START/TLS (as they are both secure)

Fill in the rest of the details and then click on the “Test Connection” button at the bottom to check the connectivity and then click on Save if everything is okay.

Before enabling STAS, you need to enable AD Authentication Service:

To do that, go to Adminstration > Device Access > Check necessary requirements and click on Apply

Once done, Go to Authentication > Services and choose your AD server as the primary authentication method before integrating STAS.

What is STAS?                       

Stands for Sophos Transparent Authentication Suite. By keeping track of domain controller events, Sophos STAS authentication can match authenticated users with their corresponding IP addresses. Once the user’s identity is known, the Sophos UTM can provide access based on that user.

How does Authentication work?

STAS tracks events taking place in the Domain Controller (DC). Each DC is supposed to track user log-ins and log-outs.

DC Collects these events and forwards them to the STAS Collector, the information collected is consolidated and forwarded to Sophos UTM along with the IP address and username.

The UTM pushes the Active Directory to establish which group the user falls under and then it allows or denies access based on permissions granted.

Integrate STAS:

  1. On the firewall, go to Authentication > STAS.
  2. Toggle On the Enable Sophos Transparent Authentication Suite and click Apply
  3. Click on Add new collector, specify your settings and then click Save

Add Firewall Rule:

STAT Configuration on AD Server:

  1. Download STAS Client from Firewall.

Configuration>>Authentication>>Client Download

Download it on Server Device

Install Client into AD server.

STAT Agent Configuration:

STAT Collector Configuration:

How to check if the STAS Service is Running or not

In order to check that, you need to start WMI Service in AD Server

Start WMI Service in AD Server:

Installed AD Certificate to Avoid SSL/TLS error:

It can happen to you that you get an SSL TLS Error when you try to work the above mentioned procedure. To avoid that, do the following:

Go t o AD Console>> Manage>> Add Roles and Features

Check Server Roles and check the status.

Now follow the IPSec Configuration step for the Branch offices as well and you are good to go.

Update esmc

Here’s how you can quickly update ESMC using the ESET Web console

What is ESMC?

ESMC stands for ESET Security Management Centre – it enables you to centrally manage all ESET products on servers, workstations and mobiles. Using the web console you can manage tasks, deploy ESET Solutions, enforce security policies and respond to issues arising through the remote computers.

 

To manage remote devices and to update ESMC-

  1. Login to the ERA (ESET Remote Administrator) Portal using a web browser (Google Chrome preferred).
  2. To check if an update is available, or to update the product, go to the help button (question mark) > Update Productupdate section
  3. Once you click on it, you will get an update popup. The popup will suggest and prompt you to take backup of all ESET Certification authorities (CA), Peer certificates and ESMC database.certificates
  4. To take backup of the above certificates, click on the open certification authorities (ca)or click on peer certificates  It will take you to certificate locations respectively where you can export them one by one.

 

Why take a backup of these certificates on ESMC?

As part of the installation/update process, ESMC needs a peer certificate for agents and a peer certificate authority and a certificate authority (CA). All these certificates are used to authenticate all the ESET Products that have been distributed under your license. For example, you can create a server certificate which will be required for distribution of ESET Server products.

  1. To export the certificate, click on one of the certificates and select “Export Public Key” It will download the certificate automatically. Follow the same steps for all certificates.

For database backup, click this link, which is suggested by ESET support. Or you can click on the OPEN DOCUMENTATION option to direct yourself to this link

 

Steps to take backup of the database



After taking backup we can go for an update. For that, Click the UPDATE button. An update of your ESMC Server is scheduled – in Client Tasks you can find a new client task that upgrades ESMC components on the computer where ESMC Server is installed. To update other ESMC components on the devices connected to ESMC Server to the latest version, you can trigger the Security Management Center Components Upgrade task directly from the update popup window.

 

Note: 

  1. After triggering the task you will lose connectivity of ESMC Console for some time until the ESMC upgrade process is done.
  2. Verify the updated version by going to appwiz.cpl or by login into the ESMC portal again and going to Help> About.
  3. Verify the connectivity after upgrading the ESMC by login into its Portal.
  4. Make sure that ESET Protect Server and Web console version (8.0) must be the same after update (refer given below SS) otherwise, it throws an error.

 

Some frequently asked questions:

What is ESMC console?

The traditional ERA Console has now been replaced by the ESMC (ESET Security Management Center) Web Console. It is the primary online interface that allows you to virtually administer and manage your clients and network from anywhere.

How do I access ESET management console?

If you are on a local ESMC Server: Open an ESMC-compatible web browser and type https://localhost/era in the address bar and you’ll be able to access the ESMC Web Console.

If your ESMC Server is accessible to outside connections: Open your web browser and type https://%yourservername%/era   Here you need to replace %yourservername% with your actual IP address or name of your web server

 

Which are the core components in Esmc 7 that must be installed?

For a perfect deployment, we recommend the following core components to be installed:

ESMC Web Console

ESET Management Agent

ESMC Server 

 

Is ESET Free?

ESET isn’t free but you can get a 30 day full-featured, free trial across all its 3 categories: Essential Protection, Advanced Protection and Ultimate Protection

Can you protect multiple devices using the free trial?

No. You can cover only 1 device during the trial but once you purchase the product, multiple devices can be secured via the ESET product of your choice.

Will ESET work if there is another pre-installed cybersecurity software?

It is best to uninstall any other software in the same category for this to work optimally.

 

Upcoming: 

We keep uploading new blogs quite frequently on our website- keep an eye out for those.

Lastly, if you need help with more such IT Solutions, feel free to reach out to us. We’ll be happy to resolve your queries. 

 

Sophos SSL VPN – Save Password

Sophos SSL VPN is a VPN software that establishes a highly encrypted and secure tunnel for remote workers to connect to. The end-to-end encrypted tunnel requires both an SSL Certificate and a username and password combination for authentication and to create a secure connection.

 

Sophos SSL VPN Client does not allow to save the username and password credentials by default. However, there is a workaround to save the username and password.

 

 

How to Save Password in a Sophos SSL VPN Client

  1. Create a text file with username in one line and password in the next line
  2. Save the file name as Password.txt
  3. Save it to the path location “C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config”save credentials sophos ssl vpn 
  4. Run Notepad with Administrative Privileges
  5. Open the configuration file in the above location. Scroll down to the line “auth-user-pass” and update that to:
    auth-user-pass password.txt

 

That’s it! You should now be able to just double click the Sophos SSL VPN Client icon and it will log in automatically without you having to enter the credentials.

 

Disclaimer:

However, we would like to bring to your notice that we do not endorse this. because if your systems’ security gets compromised for eg: A hack, then it could fall into the wrong hands.

Upcoming:

We keep uploading new blogs every week on our website- keep an eye out for those.

Lastly, if you need help with more such IT Solutions, feel free to reach out to us. We’ll be happy to resolve your queries. 

 

Lets-encrypt-winacme

Let’s Encrypt- Upgrade Win-Acme Version 1 to Version 2 

Win-Acme has reached end-of-life (EOL) for Version 1. Any renewals running on v1 will not work and it’ll have to be upgraded to win-acme v2. Followed by, the certificates being imported from v1 to v2. This blog will walk you through how you can upgrade win-acme version 1 to version 2.

Let’s Encrypt is a non-profit Certificate Authority that provides TLS certificates. These are free certificates to protect the traffic between your website (domain) and visitors. TLS stands for Transport Layer Security and SSL (Secure Socket Layer) is its predecessor. 

TLS Certificates are digital or private key certificates and files that are used to certify the ownership of a public key. 

The Certificate Authority (CA) signs and certifies indicating that they have indeed verified it and that it indeed belongs to the owners of the said domain. 

 

https

What information is carried by a TLS or SSL certificate? 

TLS or SSL Certificates contain: 

  • Domain Name 
  • Sub-domain Name 
  • Organization Name 
  • Name of the CA
  • Date of Issuance and expiry 
  • Digital Signature 

 

Port 80- Indicates HTTP- connects users to an unencrypted network 

Port 443- a default port for a secure encrypted protocol- Indicates HTTPS- connects users to a secure network. The port enables encrypted communication to pass between the server and the browser. 

 

What is Win-Acme? 

Win-Acme (Automated Certificate Management Environment) is an ACME client for Windows, hence win-acme. It is used with Let’s Encrypt, which was formerly known as letsencrypt-win-simple (LEWS). 

If you are considering using Let’s encrypt, win-acme will provide you with an automated and reliable way to renew the certificate. 

Ultimately, the most important aspect of any ACME client is the automatic renewal of the certificate. Win-acme creates a single scheduled task to renew all certificates on a server. This task does all the work to renew the certificate as soon as the first certificate is created.

 

This article will walk you through how you can perform the update: 

    1. Download win-acme v2.1.18
    2. Extract the contents of the zip file to a folder in the C drive
    3. Open the destination folder and run the file named “wacs.exe” (shown below) with administrative privilegesupgrade win-acme setup file

      win acme 2

    4. Select Option “O” followed by Option “I”. O will help manage renewals and I will import scheduled renewals from the previous version of win-acme. This will give you a list of options. You can go with the default options unless there are any settings that you need to modifyupgrade win-acme option O

      wacs3

    5. Now that you have imported the renewal tasks to the new client version, you can view and manage the renewals using option “A”.  Or you can directly select Option “R” which shows the number of renewals that are currently due.

Final step- upgrade to winacme version 2

Post-renewal and upgrade of Win-acme 

Post the renewal initiation, it will ask for the email address that you would like to receive your notification on, for any reminders and notifications.  

As with the previous version, make sure that port forwarding for port 80 and port 443 has been set up to the server.  on the IP address being resolved on the hostname for certificate SAN (Subject Alternative Name). Otherwise, the verification by Let’s Encrypt will fail and the certificate renewal will have an error. 

 

Upcoming

We keep uploading new blogs quite frequently on our website- keep an eye out for those.

Lastly, if you need help with more such IT Solutions, feel free to reach out to us. We’ll be happy to resolve your queries. 

scanning ssl

SSL Scanning

SSL Scanning: What you should know and how should you do? 

Most of the traffic passing through your network firewall these days is over SSL (Secure Socket Layer) or HTTPS.  Which means that it is encrypted in nature. And at some point, all IT Admins and MSPs (Managed Service Providers) have come through a question from the client which needs DPI (Deep Packet Inspection) to be implemented to be able to get full visibility of the traffic. This blog talks about scanning SSL traffic.

10 min read, 30-60 mins implementation with testing 

Before we go further, let us understand the biggest downside of the scanning and the error most users complain aboutInvalid certificate or red padlock icon in the browser wherein, the browser shows error and needs us to click on either the advanced tab or proceed to unsafe website. This by far is the biggest challenge we face in day-to-day administration.  

 

red padlock

 

Where does DPI come into the picture? 

The DPI on any firewall is used for two purposes 

  • To identify apps communicating over SSL  
  • For websites that use HTTPS. 

 

For Apps that use SSL, the DPI engine on any firewall would subject the traffic to an internal proxy engine. The proxy engine inside the firewall needs to see the traffic in plain text form. Accordingly, it decides whether to allow or drop the connection. Hence, when using the DPI enginetwo tunnels are created – one from the end-user computer to the firewall. Second from the firewall to the actual IP/website. As opposed to a normal connection where there will be end-to-end encryption with only one tunnel.  

 

https://en.wikipedia.org/wiki/Deep_packet_inspection

 

The approach with HTTPS websites is no different but there exists another method wherein the traffic can be done away with, without DPI scanning. This is done with the help of the common name on the certificate and DNS request. As we know, every client will request the IP address of the domain name it wants to browse with the DNS server.  

For the DNS approach, you must ensure that all outside DNSs are blocked. The only DNS that an internal user can use to query must be the firewall. 

For the common name approach, when the website responds to the HTTPS request, it sends the certificate information which has the common name (the website to which the certificate was issued). This information can be used to make a decision by the proxy engine to allow or drop the connection. However, the approach in both of the above cases is limited 

 

Let us see how a common name on the certificate looks like,

common name on ssl certificate

 

As seen in the screenshot above, the common name on the certificate is *.google.com. This is a good example showing the limitation of the DNS and common name-based approach. The proxy engine knows that the user is trying to browse some google service. However, it remains unknown until traffic is subjected to the Deep Packet Inspection. Similar certificates will be available if the end-user browses Gmail (Web-Email category), Google Drive (Storage category), Hangouts (Chat category), YouTube (Streaming category). 

 

 

How to get rid of the SSL certificate errors?

Based on the above examples, a certificate will be needed again for two purposes: 

  • For the firewall management portal including any end-user portal and other service portals 
  • For web proxy

 

Let’s take the case of the firewall management portal. Since this is presented to the user as a website, the browser checks URL match against the common name on the certificate. Most firewalls will have a self-signed CA (Certificate Authority) on them which will allow you to generate multiple certificates. Since these CAs are self-signed, their certificate chain and Root CA will not be trusted in the browser which results in the red padlock.

You can buy a certificate from any certificate distribution like GoDaddy, Let’s Encrypt, Comodo certificate and many more. But the certificate common name will have to match the URL you are opening in the browser.

For instance, you get a certificate for firewall.companyname.com, the firewall IPs must point to firewall.companyname.com. This can be done with the help of Zone editor on the web host (cPanel, etc.) side and Internal DNS ofirewall DNS for the internal IPs.  

 

If you use the DPI engine

If you are going to use the DPI engine, the firewall will be signing each website you visit and changing the root CA to its root CA (as this is another tunnel between the end-user machine and firewall). To overcome red padlock errors in this stage, you can either trust the firewall root CA in all the browsers or buy a CA ( Authority) certificate.

However, this option is very expensive as getting an authority certificate practically means you can sign any certificate. Every country has its local laws on defining who root CAs can be and it requires much documentation and compliance.  

Concisely, if DPI scanning is a priority, one should be looking at the ways they will push the root CA to be trusted in all the client browsers (domain computers, guests, mobiles, and more). Now, this can be done is by hosting it in a shared place that can be accessed by all devices. 

Finally, thanks for taking the time to read the article. We hope this enlightens you more about how you can scan your SSL traffic. Please share and let us know any other topics/articles you would like to see from our team of experts.  

 

Frequently Asked Questions

Can you inspect SSL Traffic?

Yes, an SSL certificate helps inspect all inbound and outbound traffic.

What is SSL deep inspection?

Deep Inspection of SSL is when data is decrypted and analyzed to see if it should be blocked and it is then re-encrypted.

How do firewalls inspect SSL Traffic?

Ideally, SSL Traffic cannot be inspected by any security gateway as it is encrypted. But there is an option of enabling HTTPS inspection wherein a new TLS connection is created and then the traffic can be decrypted and inspected.

 

How do I inspect my SSL Certificate?

If you want to see if your website or any other website that you are visiting has an SSL Certificate or not, you can check the URL. If the URL has an “S” after HTTP, then it indicates that the site is secure.

You can also get more information by checking the padlock icon beside the website URL.

If you want to view all certificates, press Win+R and type “certlm.msc”.

The certificate manager tool will appear. You’ll see that there’s a Certificate option on the left pane. Click on that and you’ll see a list of certificates that are available and click on the one that you want to view.

certificates

 

Why do we need SSL Decryption?

SSL Decryption allows you to have an in-depth look at the entire path not just an overview of the domain. Cyber attackers have learnt to encrypt and keep themselves undercover but decrypting the traffic helps have more control, more in-depth inspection and analysis, greater protection from malware threats, etc.

Upcoming

We keep uploading new blogs quite frequently on our website- keep an eye out for those.

Lastly, if you need help with more such IT Solutions, feel free to reach out to us. We’ll be happy to resolve your queries. 

 

 

Firewall Audit Checklist: All that you need to know

 

Stringent standards such as SOX, PCI-DSS, and HIPAA, are the reasons why network security audits are getting good coverage these days. Your network safety, business relationship with customers make you ensure that the network is secure even if you don’t need to comply with any of these standards. Firewall audits are one good way through which you can increase your chances of catching any threat or weakness present in the network security posture. They also help in ensuring that the security controls and policy controls are being reviewed. Our Firewall Audit Checklist is meant to ease the process for you.

Infrassist recommends regular firewall audits as firewalls require constant observation to provide optimum security for your enterprise. Although, most companies assume that they are protected and do not perform a regular firewall audit.  Here are some reasons why firewall audit should be a regular practice:

  • Enterprises think that they did secure configuration, but it is not truly secure
  • Firewalls are not investigated on a day to day basis
  • Small things like a temporary rule or a disabled rule can cause security breaches
  • Firewalls are not logged into every day to check the dashboards
  • Backups are not configured well
  • Multi-factor authentication is missing

While firewall audit may seem like a straightforward process, it requires as many efforts as a security assessment does. Let’s look at the firewall audit checklist:

Gather all information > Pre-audit

  • Ensure to have copies of security policies
  • Safety Check for access to all firewall logs
  • Details on current network dynamics
  • Review documentation from previous audits
  • Find all relevant ISPs and VPNs
  • Get all firewall vendor information
  • Comprehend the setup of all key servers

Review the Change Management Process:

  • Check the procedures for rule-base maintenance
  • Analyze the process for firewall changes
  • Ensure whether all previous changes were authorized

Audit the Firewall’s Physical and OS Security:

  • Ensure that your management servers are physically secure
  • Check the access procedures to these restricted locations
  • Verify all vendor updates have been applied
  • Make sure the OS passes common hardening checks
  • Assess the procedures for device administration

Optimize Your Rule Base:

  • Delete redundant rules
  • Delete or disable unused objects
  • Evaluate the order of firewall rules for performance
  • Remove unused connections
  • Document the rules and changes for future reference

Conduct a Risk Assessment:

  • Review industry best practices for methodology
  • Ask a series of thorough questions
  • Document your assessment and save it as a report

Improve Firewall Processes:

  • Replace error-prone manual tasks with automation
  • Make sure all auditing activities have been documented
  • Create an actionable firewall change workflow

If all the above steps are followed carefully, it is much easier to clear the firewall audits. For a large set of firewall audit, removing the margin for errors manually makes it worth the cost and effort. While this does cover all the scenarios that the engineers may encounter while evaluating the firewalls, it does give a broader idea of the actions that the engineers should take.

With decent experience in performing firewall audits, Infrassist has gained in-depth knowledge and expertise in performing firewall audits in diverse network scenarios. Look at a sample firewall report.