Port LED status of Cyberoam

Wondering what PORT LED talks about in Cyberoam. Check below:

Appliance Models:	15iNG/25iNG/35iNG
Green (left)	10M Link up
Green(left)	100M Link up
Amber(right)
Green(left)	1000M Link up
Green(right)
Appliance Models	50iNG/100iNG
Amber(left)	10M Link up
Amber(left)	100M Link up
Green(right)
Amber(left)	1000M Link up
Green(right)
Appliance Models	200iNG/300iNG
Green(left)	10M Link up
Green(left)	100M Link up
Green(right)
Green(left)	1000M Link up
Amber(right)

IPSEC phase 1 explained

I will try to explain phase 1 of IPSec:

Below is slide from CCNSE where VPN is explained. But most of us who are hungry for more below details might help you

I will explain main mode with PSK. Before that we need to understand how DH group works.

 

DH : This is a key exchange protocol. Please note that at any point of IPSec, none of the peers will send the PSK. DH is a public key encryption. So it will have private and publick key.

Both sides will have same shared password. I hope till now we are on same page. Now let us go in to more depth.

 

In first message

A (initiator) sends  à SA, encryption algorithms, authentication algorithms, DH groups, SA lifetimes

In Second message

B(responder) will accept, match and send the accepted policies back to B. This is done because you have configured multiple combinations of encryption and authentication algo. B will choose the parituclar algo and then.

 

-------------------------------------IKE policies are exchange DONE----------------------------------------------------

In third message:

A will send Apu and AEX which are public value and Nonce (random numbers) respectively. B will do three things:

a>   combine AEX+BEX+ PSK to derive first of the four session keys, SKEYID_1

b>   Combine Apu+Bpr+modulation->DH secret Key (K); Note that K will be same on both peers

c>   K + SKEYID_1 will derive three keys =>

 Key 1 > SKEYID_E (encryption key) à Used to encrypt 5^th and 6^th ISAKMP messages

 Key 2 > SKEYID_A (Authentication) à Used in creating HMAC for authenticating ISAKMP messages

Key 3 > SKEYID_D  (data encryption key) à This will be used in phase two if PFS. It will be used along with DH group in 2^nd to derive final key.

 

In Fourth Message

B will send Bpu and BEX which are public value and Nonce (random number respectively). A will do three things same as explained above

 

------IKE policy has been agreed upon (first two messages), keying material has been exchanged (second two messages), and session key values have been calculated---------

In Fifth Message

This message is encrypted using SKEYID_E and hashed with SKEYID_A. B will receive the same and compare with SKEYID_A derived locally. If same, the peer is authenticated along with compared ID Payload values.

The ID payload will  simply have IP address of the initiator.

In Sixth Message

Same is done as above, A will receive the HASH and ID payloads. It will authenticate using ID payload and check the authenticity using HASH. Note again this is encrypted with SKEYID_E.

Phase I is done.

TCPDUMP with Cyberoam : in depth Analysis

As promised, here is how you can interpret TCPdump on Cyberoam. In this article I am going to change the source IP as SRC and destination IP ad DST.

1> A TCP packet on port 80 : A simple TCP handshake

console> tcpdump "host DST and port 80

tcpdump: Starting Packet Dump

07:11:33.546865 PortB, OUT: IP SRC.48500 > DST.80: Flags [S], seq 1143423923, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0

07:11:33.800460 PortB, IN: IP DST.80 > SRC.48500: Flags [S.], seq 2495986521, ack 1143423924, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

07:11:33.800545 PortB, OUT: IP SRC.48500 > DST.80: Flags [.], ack 1, win 183, length 0

I will explain the first packet and there after it will be easy for understanding the other packets:

07:11:33.546865 PortB, OUT: IP SRC.48500 > DST.80: Flags [S], seq 1143423923, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0

Will try to add my 2 cents on windows scaling in next blog

Cyberoam Slow Internet

Today, I had a long customer call. Cyberoam was very slow and was not reacting on the GUI menu click. The internet browsing was very slow. Total download bandwidth which was allotted to customer by ISP was around 15 Mbps but it was showing only 5 Mbps, when speedtest was done. Below is logical flow of the troubleshooting path which helped me to troubleshooting and resolve the issue:
==============================================================
Note: First create a plain firewall rule for a single IP address (LAN IP) and then check if behavior persists. If behavior persists then follow below steps. If not then there is some policy error applied on the firewall rule.  Usually an IPS policy. Try fine tuning the IPS policy. We can fine tune an IPS policy by removing unwanted signatures for example, there is no need to scan traffic for FTP vulnerabilities if the actual server hosted is SMTP.
==============================================================
1> Searching for brute force attack from WAN:

Browse through Logs & Reports > Log Viewer > Admin Logs. Checked there were lot of failed admin login attempts.

Action: Disabled WAN access on port 23 (telnet) and port 22 (SSH), both TCP. Disabled the WAN access to the Cyberoam on port 80 (HTTP). We can do this by browsing through
System> Administration> Appliance access (TAB).

2> DOS Attack:

Enabled the DOS settings and we could see lot of ICMP flood. We found that it was a users laptop in the LAN which was generating too much of traffic. Administrator helped us to remove the PC from the network as primary mitigation attempt. ( I will discuss in another blog how to check if any PC in infected and what are the steps to be used as process for security incident)

3> Still, the speed stuck at 5Mbps. Now I wanted to check if the application classification was causing the trouble. I have then disabled the application classification settings from CLI

Command: cyberoam application_classification off

4> Still, the same behavior 5 Mbps. Now it was to check the MSS settings.

Theory of MSS and MTU:  http://cyberoamexpert.blogspot.in/2012/02/mss-and-mtu.html

I started a tcpdump from the CLI for a particular IP on port 80 (Try TCP ports)

console> tcpdump "host 203.**.**.*** and port 80"

From an internal PC behind Cyberoam, we tried to telnet on 80 for IP 203.**.**.*** and we found below MSS values

First Packet : A SYN packet
07:11:33.546865 PortB_PPP, OUT: IP 184.**.***.*.48500 > 203.**.**.***.80: Flags [S], seq 1143423923, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0

Reply packet : A SYN/ACK
07:11:33.800460 PortB_PPP, IN: IP 203.**.**.***.80 > 184.**.***.*.48500: Flags [S.], seq 2495986521, ack 1143423924, win 14600, options [mss 1376,nop,nop,sackOK,nop,wscale 7], length 0

(I am going to add a new blog on understanding the TCP in more depth soon)

The highlighted values should match. We have changed the MSS values on port B of the Cyberoam from GUI Network> interfaces> Advanced settings> overide MSS

Speed went from 5Mbps to 14.86Mbps and thus resolving the issue.

Cyberoam Firmware nomenclature

Below is the naming conventions used by Cyberoam for firmware that are released. Its a brief description but I thinks it should be fine to gather a fair idea. I would like to add few important notes below:

1> If you upload and boot a firmware, which has architectural changes, the appliance will boot with new firmware and that will be the only firmware on the appliance. You can upgrade only with further new versions; there is no way to downgrade once uploaded and booted with architecture enhanced version.

2> 8*5 is must for upgrade to be appliance. No valid 8*5:: no upgrade.

3> No Valid 8*5 :: HA, Multi-link manager, Routing, Firewall, QOS, Identity, VPN, SSL-VPN will continue to work.

Cyberoam is now SOPHOS

http://www.sophos.com/en-us/press-office/press-releases/2014/02/sophos-acquires-cyberoam-technologies.aspx

QoS in Cyberoam

A couple of days ago, I was deploying a Cyberoam unit at a customer's site.We were replacing a Cisco Router with a Cyberoam unit. Customer was overall happy with the Cyberoam, however, He was unsure about QoS feature. The primary reason to replace a Cisco router with Cyberoam was to get a better performance in terms of security, since Cisco router was already being used as a Zone based firewall, the overall performance was not up to the mark.
Besides, configuring a Cisco router is a tedious task as compared with the Cyberoam.

However, as said customer was little suspicious about QoS, since he had 50 VoIP phones in the network. Let me tell you about Cisco QoS, It uses a very granular and efficient QoS feature/module. Cisco calls its QoS as MQC (modular QoS CLI) where in as the whole configuration of configuring class maps, policy maps and applying them to the services or interfaces is done through some specific CLI commands. The disadvantage here is that you really have to be a cisco CLI master in order to do the configuration, otherwise you are in the dock. On the other hand, Cyberoam is very easy to configure and play with and you dont have to be Cyberoam or security master to configure the things.

Cyberoam gives you complete control over the kind of traffic policing and control one would like to have over the applications and most importantly the users, which is missing in Cisco routers. In Cyberoam you have the control or power to prioritize or police the bandwidth for a web category or for a desired group of websites or URLs which is again not available with the Cisco router. 

Improved application control

I am a great fan of UTM devices that give complete and granular control over different layer 7 application. Cyberoam is one of the best Application control UTM. In one of my previous articles named A Fight for the best application filter, I mentioned about the fact that how applications have changed over the years but we have not seen any significant change in firewall.

Coming on to the Cyberoam, it is feature rich product and I can feel the kind of effort being put in cyberoam into making it a world-class product. Now, they have come up with improved application control features. Now, we have a new way by which Cyberoam has categorized different applications. I really liked this improvement. Cyberoam represents applications in accordance to:

1. Name
2. Category
3. Risk
4. Characteristics
5. Technology

Here is the screenshot:

This will provide more granular control for the users over the applications. I believe, this was a long pending feature, and at last we have it. Cyberoam can identify over 1000 applications which is better than some other UTMs,
With the improvement in the categorization, the reporting feature has also seen lot  changes.

 Reporting has always been one of the best features of Cyberoam. You really have to work on a Cyberoam UTM device in order to really feel what power it holds. The on appliance iview is one of the best Reporting system. It has an hawk eye and provide you drill down reports upto 3rd level for forensic analysis. The new reporting system is more faster and eye catchier with its instant horizonal, vertical and pie chart representation of the logs.

NTLM: Begining of an Era

At last Cyberoam has it what I always wanted to see in it since beginning. A single sign on method where now I have to no more install any .exe file on the my AD servers. Although I love the existing method used by the Cyberoam to implement its SSO (single Sign On), However I always had this challenge that many customers were not ready to install any software on their AD servers. The existing SSO method used by Cyberoam uses CTAS, It is a suite of softwares that is installed on the AD server, although it is a flawless way of performing the SSO process, But it had some challenges in the DHCP environment. I am sure introduction of NTLM in Cyberoam will overcome these challenges.
NTLM is actually a Microsoft feature which was used during Windows NT era. According to Microsoft it is a protocol suite that provides authentication, integrity and confidentiality to users. I know quite a few vendors who have incorporated the same technology to implement the process of Single Sign on.
So, as always I decided to test the new feature. Here are my results:

1. It worked for me the very first time, despite the fact that I had a little hard time in finding out the article from the Cyberoam KB.
Here are the articles that I used to configure the NTLM , browser and Cyberoam respectively:

http://kb.cyberoam.com/default.asp?id=2252&Lang=1&SID=
http://kb.cyberoam.com/default.asp?id=2251&Lang=1&SID=

2.  I was not able to find anything related to NTLM on AD in Cyberoam KB, however When I researched I found that we have to enable the NTLM on AD by following:
http://support.microsoft.com/kb/239869

3. When I heard about NTLM the first time, I thought it might slow down the attempts to access web sites, since it is a browser based authentication, but I observed no delay.

4. The company where I deployed NTLM recently had some reservations. The IT guy over there told me that Microsoft recommends NOT to use NTLM as it is not secure. I told him that it is just another feature that is on offer and other vendors too use it, although it is not secure but it is good enough to be used internally for authentication.

5. The deployment has been successful, I checked the behavior on multiple browsers on Windows and Linux. However, it will be interesting to see how it works on Mobile devices. For eg, blackberry OS, iPhone, iPad etc.

Few things I liked about NTLM SSO:
a) Very seamless
b) No delay
c) Easy to deploy
d) Works well with multiple browsers on windows and Linux
e) No installation of any kind of client on AD or end users

Note: Cyberoam says that it does not support NTLMv2, however when I used  NTLMv2 on AD, I faced no issues.
Cyberoam also mentions that only browser supported are IE and Firefox, but Chrome and Safari gave me no problems while using them.
I have not as of yet tested this using my iPhone, iPad or android. But certainly I will check it soon and come up with the results.

Cyberoam has now become a mature product and with the new features coming up it is surely going to make an impact in the market.