26 Jan

Apple App Transport Security (ATS) and ASA self-signed SSL certificate

Apple care about users privacy and security quite well. Of course it’s a matter of opinion but Apple put strong focus on encryption and peer authentication. In 2015 Apple introduced App Transport Security (ATS) as part of their Network Framework With every release they are putting more and more responsibility on developers and content operators to provide proper traffic encryption proper certificate signing and chain etc. That means if application is trying to connect to HTTP server that does not support latest TLSv1.2 connection should fail.

There is no doubt that ATS is good for end users and that’s right direction every corporation should follow. But switching to TLSv1.2 is not something that can be done just like that, obtaining signed certificate expensive option, especially for development environments or if you are writing apps to just test something or for fun. Self-signed certificates are the solution for such cases but there are few problems that we can encounter.

Read More

23 Jan

How to act as your own local CA and sign certificate request from ASA

There are several ways to operate on certificates. The widest spread method is by openssl library and associated command line tools. Library was not and probably is still not free of bugs. But it’s widely spread  among many operating systems which makes it a tool that easily can be used on most popular operating systems. If you are running Windows Server you can install Certificate Services component, Mac users can use Keychain Access which is core component of macOS.

While working with certificates and those tool remember about best practices. Points below are valid as of the end of 2016.

  • Use at least 2048-Bit Private Keys
  • Try to avoid wildcard certificates but remember to cover all FQDN’s in certificates
  • Use strong certificate signature algorithms – SHA256 is standard now,  SHA-1 has been deprecated
  • Use strong encryption for your connection – not really certificate related but worh notifying that TLSv1.2 is now a standard supporting strong cryptographic algorithms
  • Use complete certificate chains
  • Use strong key exchange and forward secrecy

If you want to know more about best practices you may refer to this short manual.

Read More

17 Jan

Cisco ASA REST API – Part V: Node.js, JavaScript and small HTTP server displaying ACL

I was not planning this chapter and putting away Perl for even a moment, but I have some talk with my VeriFone colleague on scripting, REST API and how creating web server which uses REST API back end to control certain parameters of firewall is not that easy and straightforward. We both have some programming and scripting experience but neither of us is a programmer. We both know more or less several programming languages but we are not proficient. But we both have (at least we thing we have) good fundamental knowledge about programming.

The topic circulated around web page that will let display and manipulate ACL entries on firewall in non-SDN data center. Feature quite simple that most independent firewall management platforms can do. The problem is that most of those applications are using CLI via SSH to send commands and parse output, that’s exactly how Cisco ASDM is working in example, but we wanted something maybe a little more flexible, reliable… We both agreed that JSON is flexible structure that should be easy to use. So how to write a comprehensive script?

Read More

09 Jan

Cisco ASA REST API – Part IV: Debugging REST API Agent

First published: 09/Jan/2017
Last update: 09/Jan/2017

In chapter Cisco ASA REST API – Part I: Getting started primary configuration for REST API has been done on firewalls then in chapter Cisco ASA REST API – Part III: Checking if prefix is directly connected first script in Perl has been created. Let’s now look at ways we can troubleshoot REST API calls and status on Cisco ASA. This may be crucial to detect cause of the problem. Troubleshooting requires command line access to firewall in enabled mode.

In this chapter I will use script I presented previously and also will execute some REST API methods using Firefox RESTClient extension mentioned if first chapter. Because output of debug can be extensive listings will contain only crucial parts.

Debugging REST API means checking particular component for errors or other logs that might be interested for us. Command execution require in first place declaration which component will be debugged.


asav-1# debug rest-api ?

agent Rest-API Agent
cli Rest-API cli handling
client Rest-API client request handling
daemon Rest-API debug/syslog handling
process Starting/Stopping of Rest-API Agent
token-auth Rest-API Token authentication

Read More

03 Jan

Cisco ASA REST API – Part III: Checking if prefix is directly connected

First published: 03/Jan/2017
Last update: 03/Jan/2017

It’s time to do some programming and really use REST API for something good. The first script will be used to check if specified prefix is directly connected to any of firewall interfaces. Script requires two arguiments: checked IP address and IP address of firewall. The execution of script will be as below


$ ./IfDirectlyConnected.pl
Usage: IfDirectlyConnected.pl [Checked IP Address] [Firewall Management IP]

At this demo script require IP addresses to be used and is not checking if arguments are IP addresses, just simply validating if two it’s executed with two arguments.

Please take a moment to look back to my post Cisco ASA REST API – Lab topology and programming language where I explained the topology of simulated network and presented IP addresses assigned to each device. Routing is configured and all subnets are reachable.

We will test te script on asav-1 firewall. The expected results are as follow:


$ ./IfDirectlyConnected.pl 10.0.12.5 172.16.1.51
Checking address 10.0.12.5 on firewall 172.16.1.51
RESULT: Destination route is directly connected

$ ./IfDirectlyConnected.pl 10.0.24.5 172.16.1.51
Checking address 10.0.24.5 on firewall 172.16.1.51
RESULT: Route in routing table but not directly connected

$ ./IfDirectlyConnected.pl 10.0.99.5 172.16.1.51
Checking address 10.0.99.5 on firewall 172.16.1.51
RESULT: Subnet not in routing table

Script is available on my GitHub

Read More