Friday, October 30, 2015

Logstash filters

It is not always a good thing to have options, many of them. I tend to start thinking about all the combinations, the plus and minus for all aspects. And how about the future, what possible negative consequences could it have if I choose a instead b now, how hard would it be to change back?

Diving into logstash, and not to mention logstash-forwarder (lumberjack) is a daunting task. Its not difficult or hard to understand, by dealing with all the choises are.

Recently I had a dilemma, no big thing, but anyway. When to set "type" ?

But the real question is why setting type? Well, the typical use it to tell logstash how to deal and process the data. Do we really need the the type setting? Not really, but it simplifies the configuration and makes it more readable too.

I hastly setup logstash-forwarder on a webserver with large amount traffic and by not really thinking about any technical/architectual decisions the type on the client. When working through the pipline and finally configuring on logstash I noticed that type was allready set, but not to exactly what fitted my need.

Type was set on client to apache-access, the access log needs their own type declaration since the log format is different from eg. error log. But on the logstash I had set this to the more general type 'apache'. I could not just change this since logstash was allready receiving data from other servers in production.

So back to options. A neat thing with logstash-forward is the annotation of the object sent, if data comes from a log file, the object is annotated whence it came from. Then with some grok'ing it's easy to filter objects based on not only the set type, but also source file name.

Eg.
filter {
  if [type] == "apache" {
    grok { 
      match => { "message" => "%{COMBINEDAPACHELOG}" }
      match => { "file" => "%{GREEDYDATA}.access.log" }
    }
  }
}

StrongSWAN for IPSec IKEv2 remote access server


Finding the configuration sweetspot to allow any client to connection is a lenghty and tiresome process, must due to the lack of documentation of the clients and also due to the wast amount of bugs that causes all kinds of weirdness and the needs for workarounds.

Strongswan is an awesome ipsec suite that have as far as I know the best opensource support for IKEv2 which is becomming more and more common and with Apple support it both on mobile and desktop os.

Just a few notes below on my findings that might help others on the way. My background is setting up a ipsec system based on Strongswan supporting a very large userbase with a lot of automation and even wrote a own 2 - factor system integrated on top of everything. Server side auth, client challenge.


OS X 10.11, IOS 8 and never

Certificates
The client never asks for the server certificate if it does not know what to ask for. That means a configuration profile is needed with proper CN set or a public certificate. I would recommend the latter for the ease of deployment.

SplitDNS
Having problem with getting the DNS pushed from the server working? The DNS payload is actually pushed from the server and installed/accepted by the client, check for yourself by running
scutil --dns
..but they are never used. The workaround is to use a configuration profile, with this you even get splitdns so absolutely worth doing.

config snippets from a profile
            <key>DNS</key>
            <dict>
                <key>ServerAddresses</key>
                <array>
                    <string>110.10.11.4</string>
                    <string>110.10.11.5</string>
                </array>
                <key>SearchDomains</key>
                <array>
                    <string>roger.se</string>
                    <string>skjetlein.no</string>
                </array>
                <key>SupplementalMatchDomains</key>
                <array>
                    <string>roger.se</string>
                    <string>skjetlein.no</string>
                </array>
            </dict>


Default encryption proposals os x 10.11

  • IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

  • IOS 9
    • IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
    • IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, 
    • IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

    Microsoft Windows 7 & 8

    Windows is a sad story with a dash of the typical Microsoft screw up standards and insane technical implementation.

    The out of the box IKEv2, albeit one of the first movers, have some strange behavours that are worth mentioning.

    NAT and DH2
    works great. But if you change the Diffie Helman group to something else, the client will disconnect after approx 50 minutes. The reason is that windows want to rekey and when using nat, the rekay fails and the client disconnect.

    Routing, TS and SA Child
    Forget about TS, SA Child. Windows done use the TS and you need to use the capabillity accessible via GUI to set  the following options
    • All traffic routed via vpn
    • Classfull routing
    • No traffic via vpn
    Classfull routing is an odditty where the clients sets up a route based on the prefix of the assigned virtual ip. Eg. given an address on the 34.2.3.0 network, a 34.0.0.0/8 route will be installed. Why this? I dont know, but my impression after diggigs through the innards of windows is that this is not only remnants from the modem/ppp time, but is the main vpn framework.

    No traffic via VPN forced you the set the routes manually after connecting. Either by running route add commands in shell or using the CMAK package from Microsoft, that will add the routes for you.

    Default encryption proposals

    • IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
    • IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
    • IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
    • IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
    • IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
    • IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024

    Microsoft Windows 8.1 & 10

    Gettings things running here is much easier  and my prefered method is by deploying a powershell script that creates the vpn profile and sets ut correct routing and auth methods.

    Example script
    Add-VpnConnection -Name "Workplace" -SplitTunneling -ServerAddress vpn.workplace.ne -AuthenticationMethod Eap -EncryptionLevel Required -TunnelType Ikev2
    Add-VpnConnectionRoute -ConnectionName "Workplace" -DestinationPrefix 1.2.3.0/24
    Add-VpnConnectionRoute -ConnectionName "Workplace" -DestinationPrefix 2.3.4.0/24

    Default encryption proposals

    • IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
    • IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
    • IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
    • IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
    • IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
    • IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
    • IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
    • IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
    • IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
    • IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
    • IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
    • IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024


    Tuesday, October 27, 2015

    Fun with IPSec IKEv2 for remote access

    The *emerging IKEv2 standard enables roaming clients to finally use ipsec to a full extent and without the hasle of being disconnected or struggling with other finnicky problems.

    Microsoft have supported the IKEv2 on client side since 2009 from Windows 7 and onwards, but their half assed implementation is a sad example on how in their typical way like to break good standard with their own interpretation, or the lack of.

    Short summary Microsoft as a IKEv2 client:

    • Ignores the (TS) traffic selectors when setting up routes
    • Cannot set local and remote ID
    • Forced dead peer detections
    • Hardcoded rekeying intervals
    • Drops SA_Child when no traffic, 5 minutes hardcoded
    • Uses classfull routing or any traffic via vpn
    • Must add routes after connect for windows 8 and older when not using the brainless microsoft routing defaults
    • Particular regard Diffie Helmann, anything but group 2 and the clients drops sa child when behind NAT and rekeying.
    • +++
    In particular the ignoring of the TS sent from server causes a great deal of problems when you do not want to use the default routing decisions which in most cases means any corporate or bigger scale implementations.


    Apple as a IKEv2 client:

    • Supports the full implementation, really not much to says
    • Additional setting such as encryption, timeouts etc must be set through a config profile
    • DNS and split DNS setting not supported via ikev2 payload, only through config profile
      • Rumours says that Apple will support the new upcoming rfc for nameresolution/splitdns payload through ikev2



    * IKEv2 is indeed not a new standard, been there for years through weel known RFC's. But now Apple have started to support it both on desktop and portable platforms and I think this will open the eyes of many.

    Solutions for connecting clients

    Microsoft windows 8 and older
    Use the dreaded CMAK tool from Microsoft. CMAK is cumbersome, full of bugs and generally sucks.

    Microsoft Windows 8.1 and never
    Use powershell script to setup proper connection to allow splittunneling of reasons explained earlier.

    Apple OS X 10.11
    Use the builtin IKEv2 vpn capabillity. Fully supports IKEV2 except for DNS. Need to use configuration profile to support splitdns or dns at all since the current implementation does not install the dns received by ikev2 payload correctly.

    Apple OS X 10.10 and older
    Use the StrongSWAN native client, this fully supports ikev2, but not splitdns.

    Apple IOS 8
    Use profile as explained for OS X

    Apple IOS 9
    Use builtin vpn setup or use configuration profile to acheive split dns.

    Android
    Use StrongSWAN client downloadable via Google Play



    VoWifi leaking IMSI

    This is mostly a copy of the working group two blog I worked for when the research was done into the fields of imsi leakage when using voice...