Windows 10 KB3163018 Breaks CCM 9.0.1 SSL

After installing the Windows 10 KB3163018 update, you are no longer able to load Call Manager 9.0.1 web interfaces that use a self signed certificate.

There’s a bit of talk on the KB here: https://community.spiceworks.com/topic/1666286-windows-10-kb3163018-breaks-stuff

And similar issues here for Viewmail on 11.5 – https://supportforums.cisco.com/discussion/13051441/cisco-viewmail-error

I haven’t been able to check whether this is resolved with a properly signed certificate, or whether it’s a limitation in the tomcat library.

Interestingly it doesn’t impact 7.1.5 clusters. I will check against 11.0.1 shortly.

UPDATE: 11.0.1 works fine, just the usual self signed certificate warning.

Easy Cisco NAT Pools and VRF’s

I’ve been struggling to find a quick and dirty guide to use NAT Pool Overloads between two VRF’s. A lot of the guides I came across either had RDs, BGP or NATting into the global VRF table. All I wanted was to have Red talk to Blue by NATting the Red network to a NAT Pool which is routeable by Blue. In my scenario I would have an internet connection in a WWW VRF and my internal servers in a 10 VRF. I guess you could argue why to even use VRF’s in this case as there is no benefit in this specific example, but anyway. So here we go.

Build our VRF

ip vrf 10
ip vrf WWW

Configure the interfaces with IP’s in the right VRF

interface FastEthernet0/0
description Internet
ip vrf forwarding WWW
ip address 1.1.1.2 255.255.255.252
ip nat enable
duplex auto
speed auto

interface FastEthernet1/0
description Servers
ip vrf forwarding 10
ip address 10.0.0.1 255.255.255.0
ip nat enable
duplex auto
speed auto

Add a default route into the 10 VRF, exiting the Fa0/0 interface which will mark it in the WWW VRF and aim for a next hop of 1.1.1.1.

ip route vrf 10 0.0.0.0 0.0.0.0 FastEthernet0/0 1.1.1.1

Allow our host to use the NAT Pool.

ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any

Make sure to specify the add-route to the back of your NAT Pool, otherwise when the return traffic comes back it will be dropped as there is no 3.3.3.0/24 subnet in the WWW VRF.

ip nat pool Global 3.3.3.1 3.3.3.3 netmask 255.255.255.0 add-route

Overload your NAT Pool in the 10 VRF.

ip nat source list NAT pool Global vrf 10 overload

HTH

 

NOTE: This only works in IOS, not IOS XE

DMVPN Tunnel Source Failover

Off the back of my last post about failing over outbound access using IP SLA and route-maps here I needed to also accommodate DMVPN tunnels in this process.

The issue that I ran into was that in a DMVPN spoke tunnel we specify the tunnel source <interface> manually. When were failing over between two providers obviously our interface will change rendering our tunnel useless.

I tried a few different workaround such as a duplicate tunnel to the same DMVPN hub and a new tunnel to a new DMVPN hub but due to my environment with one telco at the DMVPN hub end I couldn’t pass traffic. I didn’t dive too deeply into why, but I suspect that it was due to ipsec not being able to identify the correct source traffic as we were sharing interfaces and profiles.

There is a tunnel source dynamic command that Cisco support but I could only find documentation regarding this and routing protocols – again not something that I could run in my environment.

In order to solve this, I threw in a simple EEM script. EEM scripts will take inputs from router events and execute actions that you define.

I put together an EEM script that was triggered on the ip sla event and that actually typed out the commands to change the tunnel source interface. See below.

event manager applet change_dmvpn_source_down
event track 1 state down
action 1.0 cli command “enable”
action 1.5 cli command “config t”
action 2.0 cli command “interface tun0”
action 2.5 cli command “tunnel source gi0/2”
action 3.0 cli command “end”

event manager applet change_dmvpn_source_up
event track 1 state up
action 1.0 cli command “enable”
action 1.5 cli command “config t”
action 2.0 cli command “interface tun0”
action 2.5 cli command “tunnel source gi0/0”
action 3.0 cli command “end”

EEM always seems a little crude to me, but in these types of scenarios when you are pigeon-holed on technology and need a quick fix it works quite well.

Easy Cisco IOS Dual WAN Failover – IP SLA, NAT, Route Maps

I was looking for a solution of providing WAN failover to a site using two ISP’s with unique NAT pools whilst avoiding BGP. Obviously BGP solves all of these issues that were using IP SLA and route-maps for, but the stipulation was without a routing protocol. For whatever reason I couldn’t find a nice example so here’s an easy to follow config that I knocked up as a POC. If you want to replicate this in GNS drop in the below config on a 3725 platform and create Telco routers for each Telco with the /30 WAN addressing and a static route for 3.3.3.0/24 and 4.4.4.4/24.

As an overview:

  • We want to preference Telco 1. Telco 2 should only be used if Telco 1 goes down.
  • Telco 1 has a WAN of 1.1.1.2/30. They statically route a prefix of 3.3.3.0/24 to us which we will use for NAT overload. If the Telco didn’t route us a prefix though we could just overload the WAN interface.
  • Telco 2 has a WAN of 2.2.2.2/30. They statically route a prefix of 4.4.4.0/24 to us which we will use for NAT overload. If the Telco didn’t route us a prefix though we could just overload the WAN interface.

We will create a track with IP SLA to track Telco 1’s WAN address. This could be any routable IP in their network though. We set a default route to this Telco with the track. We set another default route to Telco 2 with a higher AD. This takes care of our default route movements should Telco 1 go down.

We create two route-maps one for each Telco. We match an ACL with our inside IP’s on our network. If you’re not worried about selectively providing NAT pool access, you can ommit the ACL match. We also match the exit interface for each Telco.

We set up our NAT pools and NAT source mapping’s referencing our route-maps.

interface FastEthernet0/0
description To Telco 1
ip address 1.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

interface FastEthernet1/0
description To Telco 2
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

ip sla 1
icmp-echo 1.1.1.1 source-interface FastEthernet0/0
timeout 1000
threshold 800
frequency 30

ip sla schedule 1 life forever start-time now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.1 2

ip access-list extended NAT_ACL
permit ip 192.168.0.0 0.0.255.255 any

route-map Telco1 permit 10
match ip address NAT_ACL
match interface FastEthernet0/0

route-map Telco2 permit 10
match ip address NAT_ACL
match interface FastEthernet1/0

ip nat pool Telco1 3.3.3.1 3.3.3.1 netmask 255.255.255.0
ip nat pool Telco2 4.4.4.1 4.4.4.1 netmask 255.255.255.0
ip nat inside source route-map Telco1 pool Telco1 overload
ip nat inside source route-map Telco2 pool Telco2 overload

CCM9 RIS WSDL in PHP

I recently spent a lot of time trying to pull out the IP address of a handset registered to a CUCM9 cluster via AXL. It turns out the standard AXL response doesn’t include this information as it’s handled by the RIS service.

I had some luck with getting the RisPort wsdl working inside PHP but couldn’t return specific queries, everything I tried returned the first 1000 devices listed on the cluster.

I came across some varying info from Cisco regarding RIS.

From: https://developer.cisco.com/site/sxml/documents/api-reference/risport/#overview

The RisPort WSDL is deprecated. Use the RisPort70 WSDL.

I tried to use the RisPort70 from my CCM’s RIS page but PHP complained that it wasn’t able to interpret the WSDL. Then I came across this stating that the WSDL RPC’s were being deprecated and being replaced with doc/literal http://solutionpartnerdashboard.cisco.com/web/sxml-developer/get-wsdl

Beginning in 9.0, the Serviceability XML WSDLs are available in both remote procedure call (RPC) encoded and doc/literal style formats.

Developers should migrate to the doc/literal style WSDL as soon as possible. Cisco plans to deprecate the rpc-encoded WSDL in Unified CM 11.0(1).

It stated that the RisPort70 RPC could be found at: https://servername:8443/realtimeservice/services/RisPort70?wsdl whilst the RisPort70 doc/literal could be found at https://ServerName:8443/realtimeservice2/services/RISService70?wsdl. I could hit the RISService70 even though the RIS page on my CCM didn’t list it. There was no small menu like in normal RIS – the page just returned the WSDL. Good enough for me.

After hacking around with the RISService70 and trying different approaches in CCM I finally got my PHP working. My PHP script now searches all clusters for a device registered with an IP address that I specify and returns the structure in an array that I can parse manually with PHP and then operate on.

$soapClientRIS70 = new SoapClient(“https://YOURCCMHERE:8443/realtimeservice2/services/RISService70?wsdl”,
array(‘trace’=>true,
‘exceptions’=>true,
‘location’=>”https://YOURCCMHERE:8443/realtimeservice2/services/RISService70?wsdl”,
‘login’=>’youruserhere’,
‘password’=>’yourpwdhere’,
));

$soap_response = $soapClientRIS70->SelectCmDevice(array(“StateInfo”=>””, “CmSelectionCriteria”=>array(“NodeName”=>””, “Status”=>”Registered”, “SelectBy”=>”IPV4Address”, “SelectItems”=>array(“item”=>array(“Item”=>”DEVICEIPADDRESSHERE”)))));

print_r($soap_response);

From there the Cisco RIS API documentation should provide you with everything else you need: https://developer.cisco.com/site/sxml/documents/api-reference/risport/#overview

I hope that this will be portable into CCM11 but I’m guessing that the WSDL will be updated – hopefully no structure will change, but some better error responses would be nice.

I hope that this serves to save someone the time that I spent trying to work this out…

A Very Brief Overview of Secure IM Services

After the recent release of the TOR messenger beta it triggered me to look back into secure IM clients. I have tried a bunch of these in the past but most were in early dev and hadn’t reach the maturity I was looking for.

Below is a very brief overview of the major secure IM services at the moment. NOTE: this is a very brief rushed list so I may have the details wrong – please let me know if so.

TOR Messenger

TOR Messenger Link

  • Uses Instantbird Client
  • Routes messages via TOR
  • Supports OTR (Encryption, PFS etc)
  • Supports existing transports (XMPP, IRC, Google Talk, Facebook, Twitter etc)
    • NOTE: All these methods require a centralised registration server for Metadata.
  • Supports Windows, Linux, Mac

Ricochet

Ricochet Link

  • Uses the Ricochet Client
  • Routes messages via TOR
  • Encryption is done via the TOR hidden service – not inherently built in via OTR
  • Supports only the ricochet transport
  • Supprots Windows, Linux, Mac

TOX

TOX Link

  • Supports a number of open source clients
  • Routes messages via DHT
  • Implements their own version of OTR
  • Encryption is done via NaCl
  • Supports only the TOX transport
  • Supports Windows, Linux, Mac, Android

Bleep

Bleep Link

  • Uses the Bleep client
  • Routes messages via DHT
  • Uses ephemeral keys but cannot find details on crypto
  • Supports Windows, Mac, Android, iOS

A Busy Few Days in InfoSec

It has been a busy few days in the infosec environment with a number of different articles and patches. This is just the latest collision in societies ever challenging ecology of digital information ownership.

OpenSSL

OpenSSL have pushed 7 new patches to different versions of their packages from Low to Moderate severities in their Security Advisory 11/6. For anyone up to date (you did patch for Heartbleed right?) with the OpenSSL packages, the latest 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg contain the majority of the fixes.

https://www.openssl.org/news/secadv_20150611.txt

Kaspersky

Kaspersky have released information at a press conference detailing that their network was attacked by what they have dubbed Duqu 2.0. As Eugene stated:

“It’s almost a mix of Alien, Terminator and Predator, in terms of Hollywood,”

Duqu 2.0 looks to be the next generation Duqu which had clear ties to 2010’s Stuxnet and we all know the outcome of that story. It used 3 zero days to gain entry and once the machines were compromised resided completely in RAM and wrote no files to the disk or registry. Machines that were powered off were reinfected once they were booted by other machines that were also compromised.

“To get rid of [the] malware, it’s very simple — turn off all computers in network for half an hour, then the system will be clean.”

http://www.tomsguide.com/us/kaspersky-hack-israel-nsa,news-21084.html

Westnet

Westnet was an Australian ISP that was bought by iiNet in 2008. iiNet is now one of Australia’s largest ISP’s and has a steady growing userbase. A legacy Westnet system was owned with the hacker claiming access to 30,827 customer details.

http://www.watoday.com.au/digital-life/consumer-security/more-than-30000-iinet-customer-passwords-hacked-20150609-ghjmo2

Australia Set To Block Websites

Continuing with news from .au, a bipartisan report into proposed legislation to force Australian ISP’s to block access to websites linked with piracy recommends the bill be passed. This paves the way for the parliament to pass the bill into law.

The bill will allow copyright holders to apply for a federal court order that will force ISP’s to block customers accessing international websites serving pirated material.

http://www.computerworld.com.au/article/577223/bill-block-pirate-websites-gets-tick-approval/

This is adding to the story in Australia where there is a lot of movement in piracy and the protection of customers privacy rights.

http://www.smh.com.au/federal-politics/political-opinion/conroy-will-be-censoring-people-not-the-internet-20091217-kzxl.html

http://www.abc.net.au/news/2012-11-09/government-abandons-plans-for-internet-filter/4362354

http://blog.iinet.net.au/iinet-wins-copyright-battle/

http://www.theaustralian.com.au/business/latest/iinet-embroiled-in-fresh-piracy-court-battle/story-e6frg90f-1227099582270

http://www.afr.com/business/legal/dallas-buyers-club-wins-first-round-in-iinet-case-20150407-1mfqi1

UK Stingray Towers

Sky News has come across 20 rogue IMSI Stingray mobile towers around London that can be used to eavesdrop on mobile users. There’s a bit of toing and froing with the government departments in “I can neither confirm nor deny” type statements.

However, the most interesting thing from the article is:

“Some of what we would like to talk about to get the debate informed and logical, we can’t, because it would defeat the purpose of having the tactics in the first place. Frankly, some of what we need to do is intrusive, it is uncomfortable, and the important thing is we set that out openly and recognise there are difficult choices to be made.”

This seems to be the trend at the minute with society wanting to know more about their privacy rights in specific scenarios but departments not able to divulge information as it negates the premise of intelligence gathering. We are left in this awkward space of needing to trust government agencies, oversight committees or the government itself. Which brings us to the next article.

http://www.independent.co.uk/news/uk/home-news/fake-mobile-phone-towers-found-to-be-actively-listening-in-on-calls-in-uk-10311525.html

White House Legally Requests FISA Ignore Ruling Making Bulk Surveillance Illegal

  1. The Second Circuit Court of Appeals ruled bulk collection of telephone metadata is unlawful. – http://www.wired.com/2015/05/breaking-news-federal-court-rules-nsa-bulk-data-collection-illegal/
  2. The Obama Administration makes a legal request to the Foreign Intelligence Surveillance court (FIS) to ignore the ruling.http://www.theguardian.com/world/2015/jun/09/obama-fisa-court-surveillance-phone-records

There are a lot of moving parts with this issue including that the FIS isn’t mount by the Second Circuit’s ruling and that the Administration claims it’s doing so to easily move towards the beginning USA Freedom Act.

In any case it gives an indication (especially in policy) to the struggles with privacy rights and the gathering of information.

Please Don’t Compromise Our Encryption

Two different industry bodies (The Information Technology Industry Council and the Software and Information Industry Association) which represent a number of big players including Apple, Google, Facebook, IBM and Microsoft have directed a letter to President Obama and the FBI Director stating that they “are opposed to any policy actions or measures that would undermine encryption as an available and effective tool.”

This comes after debates over whether Congress will pass legislation to allow law enforcement to bypass encryption methods.

http://www.reuters.com/article/2015/06/09/us-cybersecurity-usa-encryption-idUSKBN0OP09R20150609

 

Bleep – Secure, Direct Communication

In the recent search for encrypted direct messaging and voice solutions I’ve come across Bleep. It’s been developed for iOS, Android, PC and MAC by BitTorrent.

bleep2

The free platform touts direct connections between client endpoints, encrypted messages and calls and a snapchat like mode called Whisper. The marketing states that endpoint connections use P2P technology and when adding friends you use a private key like system. This feels very similar to how the BT Sync client works by using DHT and it’s friends. Here’s an except from their support site:

Bleep tries to connect users directly and that means that a user’s friends (and only them) will have his/her IP address. Bleep is currently not using any onion routing to hide users’ IPs from their friends. This may change in the future. In cases that a direct connection is not possible because of network conditions, the peers use a relay server to connect to a friend. The relay server does not know the identity of the users that it connects to nor it can read the content of the messages that it forwards.

Bleep doesn’t mention what type of encryption it uses but does say that it implements PFS.

Currently multiple devices aren’t supported but there are suggestions that they are working on this as well as offline messages. This would be critical to gain acceptance by mobile users to compete with iMessage and Facebook Messenger, which have also been a sticking point with similar encrypted, distributed messenger platforms.

bleep

 

Other solutions that I’ve used before like TOX based clients don’t have nice support for all platforms so it’s good to see a solid charge into the space to get users relying on the platform.

http://www.bleep.pm/

http://bleep-help.bittorrent.com/

 

A New Change

Well, I’ve noticed over the last while that blog is suffering from some major attrition from real life. Information and network security is so fast moving and requires a lot of technical depth and time spent on it that I don’t have the time to continually post things here. In fact the trend of recent posts has not been security focused but more of a general IT focus.

The time has come for a change where I will include anything IRL or !IRL for my own amusement.