Monday 31 August 2015

Cloud Security Alliance CCSK Exam Experience

This evening I passed the Cloud Security Alliance CCSK exam, version 3.0. I studied for around a week reading the two documents multiple times that the certification is based on.

If you have been operating in the cloud space for any time, and have some experience with authentication, key management etc you are probably about half way to passing the exam, this is mainly because some of the questions are common sense.

The pass mark is 80% so you will notice I just passed with 82%, you have 90 minutes to answer 60 questions. Most of the questions are only a couple of sentences, not like some Microsoft certifications where you have a couple of paragraphs to read and digest. Luckily I passed on my first attempt but the $345 (£230) does entitle you to having two attempts.

 If you read over the two study guides a couple of times and understand the content you should have no problems passing CCSK. 

Friday 28 August 2015

Azure Site to Site VPN Hangs “Disconnecting Local Site” & Azure VM Provisioning Hangs “Creating Windows Server 2012 R2 Datacenter” for 1+ Hour

When you try to drop the Site to Site VPN connection from your data centre to the Azure cloud, it hangs for 30-40 minutes stating “Disconnecting local site….”. It normally only takes a couple of minutes to complete.

The disconnect was performed using the Preview Portal. The only way to force the disconnect is to use PowerShell.

Set-AzureVNetGateway –Disconnect –VNetName networkname –LocalNetworkSiteName sitename

You must do this from an Administrative Azure Powershell prompt. You can authenticate to the tenancy using the;

Get-AzurePublishSettingsFile and Import-AzurePublishSettingsFile

Azure VM Provisioning Hangs “Creating Windows Server 2012 R2 Datacenter” for 1+ Hour
When you provision a new Windows Server 2012 R2 it hangs at the creating VM stage. It sits on “Creating Windows Server 2012 R2 Datacenter” for over an hours.

The following command can be used to force the VM provisioning to be stopped. The –Force switch de-provisions the VM therefore the IP’s etc is released.

Stop-AzureVM -Name vm-name -ServiceName cloud-server-for-vm -Force

Wednesday 19 August 2015

Cisco ASA 9.x Static NAT with ASDM “Unable to Reserve Port 443”

I was trying to configure a static NAT rule to allow HTTPS traffic to a hosted web server. When I entered the last command I received “Unable to Reserve Port 443”, this was because another service was currently using TCP port 443.

object network Outside_to_Inside_WS
nat (inside,outside) static interface service tcp 80 80
nat (inside,outside) static interface service tcp 443 443

It was Cisco AnyConnect that was causing the problem as the AnyConnect portal was being published on the HTTPS port. I disabled it from Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. This is a solution provided you are not using AnyConnect for user VPN. 

If you are you can change the port configured to host AnyConnect by clicking Port Settings…

Tuesday 11 August 2015

Config Cisco ASA as Domestic Broadband Router and NetGear Router as Access Point

For about the last 6 months I have had a Cisco ASA 5505 I have meant to install into my home network, I bought it when I was studying for CCNA Security and it proved to be very useful for testing configurations etc. The plan was to implement it on my home network to provide an IPsec VPN for me, whilst away from home. Having a proper firewall on my broadband connection also allows me to configure proper NAT for servers in my lab.

Today I got round to doing it, the topology looks like this;

Virgin Media Cable Modem
NetGear N300 WNR2000v2 (which was the router) AP
Cisco ASA 5505 Router/Firewall

The cable connection terminated into the Virgin Media box, there is then an Ethernet connection to the "outside" interface on the ASA. The physical interface is configured to receive all configuration from the ISP's DHCP (including the default route). One of the ordinary Ethernet interfaces from the NetGear is then connected to the "inside" Layer 2 broadcast domain.

Configure Dynamic PAT

Dynamic Port Address Translation (PAT) is required to allow internal clients on the "inside" network to share the single public IP address on the "outside" interface of the ASA firewall. This will effectively allow the internal clients to "hide" behind the public IP address when accessing resources on the internet.

Click Configuration and expand Objects and then Network Objects/Groups.

Click Add, and then New Network Object. Change the type to Network to allow an entire network range in the PAT rule, name it something descriptive. Click OK.

Click on NAT Rules from the Firewall settings and select Add/Add NAT Rule After "Network Object" NAT Rules...

Source Interface/Address any/any, Destination Interface/Address any/any. Source NAT Type Dynamic PAT (Hide) out of Source Address outside. Please bare in mind these values are relative to my interface names, if for example your external interface was named "internetinterface" that would be instead of "outside".

Configure "outside" ASA interface DHCP from ISP

Configure the ASA's "outside" interface to use DHCP from the domestic broadband provider. You may have a static in which case you would configure the static details here.

Configure "inside" ASA interface as DHCP server

Configure the ASA's "inside" interface to be a DHCP server, this is because the DHCP server on the NetGear box must be disabled.

Configure NetGear router to operate in only "access point" mode

This may vary slightly depending on your domestic router/AP, on mine it was only a case of clicking on LAN Setup disabling the Router as a DHCP Server and then configuring the LAN TCP/IP Setup to be an available static address which is outside of the new DHCP scope configured on the "inside" interface of the ASA.

Test on wireless device

Now if I connect my laptop to the old network SSID if will get a DHCP address from the new pool created on the ASA firewall.

Cisco ASA's Part 2: Enabling the HTTP Server and Configuring Interfaces

If you are not doing Cisco as your full time job, the chances are you get rusty around the exact commands that are required to perform even the easiest tasks. Luckily with Cisco ASA's you have the option to manage the device using a graphical user interface, known as the Adaptive Security Device Manager (or ASDM). Although the ASDM is a great tool, it does have it's down falls, the biggest one being that it's developed in Java.
If your ASA does not currently have any operating system you may need to boot the ASA into ROMMON mode, which can be done by breaking the boot sequence using the ESC key when the firewall is booting.
You will also need a TFTP Server,
When you get your ASDM and ASA images onto the devices flash you can statically set them as the primary images to set a file called asdm.bin for example as the primary use the command asdm image flash:/asdm.bin and use show asdm image to ensure it has set properly.
Configure the logical VLAN 1 interface;

interface vlan 1
nameif inside
security-level 100
ip address

Enable the HTTP server for ASDM access;

http server enable
http inside

Copy the running config to the startup config;
wr mem

Now cable your laptop or computer onto the same physical Layer 2 broadcast domain as the ASA, you will have to manually configure the network interface card with an IP and Subnet Mask on the same logical network as the ASA.
Open a browser and attempt to connect to the ASA's VLAN  1 interface IP via HTTPS. Install the ASDM Launcher, you require valid credentials before it will allow you to download it from here.

By default blank username and password will successfully log you into the ASA.

From the Home screen click, Configuration.

Click Interfaces from under Device Setup, and then click on the Switch Ports tab.

The physical interfaces you are going to use should be Enabled. Clicking Enable SwitchPort is the equivalent of issuing the no shutdown command at the CLI.

Click on the Interfaces tab, and then click Add. Select the physical interface from the Switch Ports list and use the Add button to move it into the Selected Switch Ports list.
Name the Interface, this is the internet facing WAN port so I have named it outside. The Security Level should be the lowest out of all your networks for the internet facing NIC's.

Depending on your ISP, select Obtain Address via DHCP for the WAN IP config, ensure the Obtain default route using DHCP option is selected.

Cisco ASA's Part 1: Introduction to the Cisco ASA Firewall, Stateful Filtering, Security Levels and Interface Names.

Cisco ASA 5505's are excellent hardware firewalls for home and small office environments. They offer most of the features that are available in enterprise-level Cisco Adaptive Appliances. I had to get this one setup in my home lab network so that I could establish a dedicated site-to-site VPN with Microsoft Azure for testing purposes.

The interfaces on an ASA 5505 are numbered from 0-7 (right to left), the last interfaces (6 + 7) are actually Power over Ethernet capable interfaces. My interfaces are configured in the following way.
  • Interface 0 - "inside" with Security Level 100
  • Interface 1 - "outside" with Security Level 0
  • Interface 2 - "dmz" with Security Level 50
Each of the physical interfaces are assigned a name, either "inside", "outside", or "dmz" you can call these anything you like but more often than not you will see them names something similar to the above. 

Security Levels are assigned to interfaces to determine how "trusted" a particular network is. In this example the "inside" network (which is the internal LAN) is configured with the level of 100, then DMZ 50 and the outside (internet facing) 0. By default traffic can flow from higher to lower but not lower to higher. The best analogy I have heard for this is to think of a waterfall, water flows down but cannot flow upwards.

That being said, State-full Filtering is used to ensure that network connectivity can be established through a firewall. For example if you are on the "inside" network on a PC with the address and you visit a website on the internet at, there is packets leaving the "inside" network flowing down to the "outside" interface. Most network communications would not work if the session could not be established between the PC and the Web Server, this is because the return traffic back from the Web Server to the PC would be hitting a Security Zone (or Level) with a lower value than the internal network. As we said previously, traffic can flow down from higher to lower, but not lower to higher. Static Filtering makes this possible, a state table is maintained by the Cisco ASA firewall to ensure return traffic is dynamically allowed back to the clients even if they reside in a Security Zone with a higher value that the "outside" interface. 

It is also worth noting that the values used are irrelevant, instead of using 100, 50 and 0 you can use 3,2 and 1 and the effect would be the same. 

Monday 10 August 2015

Installing the ADFS 3.0 SCOM 2012 R2 Management Pack

There is a freely available Management Pack for OpsMgr to monitor the health of an ADFS services in your organization. You can download the OpsMgr ADFS MP from the following website
Open the the Operations Manager console, and click Administration and then Management Packs. Click Import Management Packs... from the Tasks list.

Click Add and Add from Disk....

Point to the .MP file that is extracted when you run the installer you downloaded from Microsoft.