DNS vs DHCP WPAD

by

The use of WPAD (or PAC file) is sometimes necessary for pushing the proxy address. As there are several ways to push the WPAD, it can be hard to choose the right way. In this post, I won’t be discussing what the WPAD is, or how it is created, but I will address what the differences are and hopefully, this can be helpful with your implementation decisions.

DHCP and DNS WPAD PROs

Easy to use
Both are easy to configure. DNS WPAD is set by creating an A-record within your domain (containing WPAD or WPAD.domain.local). DHCP WPAD is configured by using option 252 in your DHCP scope.

No alteration needed by the user
If a user is working from home, the user doesn’t have to alter the proxy settings to be able to connect to the internet, as is the case with configuring it manually. This is especially practical when you only use a proxy inside the (company) network.

DHCP and DNS WPAD CONs

Security
Security is becoming more standard in companies as threats are rising day by day. As it is best practice to “layer it up” (like an onion), a proxy can add another layer of defence. Proxies can be used to secure internet gateways for users by blocking certain websites or categories. Some proxies can also scan for malware and viruses and thus creating the extra barrier that we’re looking for, security wise. However, with users also taking their systems home and introducing B.Y.O.D., malware and viruses can be picked up elsewhere, which can then be brought back to the company. By using WPAD only, once a system leaves the network, it will no longer be able to access the proxy and thus it will no longer have that extra security layer.

DHCP WPAD CONs

Application
Most of the applications will share the WPAD settings for the system (or Internet Explorer). However, some applications don’t support DHCP WPAD. For example, if you’re using Mozilla Firefox, you are obligated to move to DNS WPAD, as the application will not work with DHCP WPAD.

DNS WPAD CONs

Security/Vulnerability
There are several vulnerabilities with the WPAD (one which is explained above), especially when using DNS WPAD. This is due to the way DNS WPAD works. Below is an example of how this vulnerability could be exploited.

As you need to know how DNS WPAD works for the exploit to work, here is a small summary:
First of all, the application will try to resolve “WPAD”. When this doesn’t result in a reply, it will try to resolve WPAD.domain.suffix, when that doesn’t work, it will move to WPAD.subdomain.domain.suffix, and so forth and so on.

It could happen that you’re using a different domain internally (e.g. domain.local) and the client, for some reason, resolves this with a public name server, instead of your local DNS. A person with malicious intentions could register this domain. He or she could send the WPAD.domain.local to a malicious server, and that way could look into all web traffic or redirect sites to a malicious page that will install malicious software.

Personal preference

Personally, I’d prefer an in-line deployment of the proxy, so the user (and/or system admin) doesn’t have to alter anything within the system. This way, you won’t have to use the WPAD option. Everything will be sent to the proxy anyway and there are no issues with applications that don’t support WPAD. Furthermore, users are less able to bypass the proxy altogether (and with that, are less likely to download viruses or malware).

Another option is to move to a next-gen firewall that has URL filtering and anti-malware and file-scanning capabilities, especially when you’re using the same vendor for the proxy and the firewall. However, you might want them both, if they are using different scanning techniques or engines.

Ofcource, this will not solve the issue with users that work from home or elsewhere, but you’ll have to take privacy into consideration when thinking about securing that. If you’re still looking for a solution and want to proxy traffic everywhere, you might want to look into a cloud solution.

SSH Access issues with ASA 9.12+

by

As of ASA version 9.12 you may experience issues with some applications that use SSH. You may get an error that you’re unable to connect or login to the device, even though you’re certain that your username and password are correct. This happens with applications that use SSH (for example the config management of Solarwinds or Putty (prior to version 0.71)).

Cause

By default, ASA 9.12 and beyond, will use a new DH key exchange mode. This is dh-group14-sha256. Before this version, only DH group 1 with SHA1 was supported. SHA256 is not activated by default in most applications or they simply do not support them.

Solution

You can solve this by either making sure your application can use SHA256 with Diffie Hellman group 14, or by altering the key exchange group in the ASA.

As we are no application managers, we will not describe how you can alter your application. For that, you can find a variety of websites describing the way to alter the hashing algorithms and key exchanges online. If you have issues with Putty, we highly recommend upgrading to the latest version. Putty supports SHA256 as of version 0.71.

For ASA you can use either the CLI or the ASDM gui to alter your key exchange group.

These are the CLI commands you can use for altering the key-exchange group:

ASAv1# configure t
ASAv1(config)# ssh key-exchange group ?

configure mode commands/options:
dh-group1-sha1 Diffie-Hellman group 2
dh-group14-sha1 Diffie-Hellman group-14-sha1
dh-group14-sha256 Diffie-Hellman group-14-sha256
ASAv1(config)# ssh key-exchange group dh-group14-sha1
ASAv1(config)#

For ASDM, you need to navigate to Device management > Management access > ASDM/HTTPS/Telnet/SSH. On the bottom part of the page you can find the DH Key Exchange.

Just click the key exchange you want to and apply the configuration.

SSL Anyconnect and Chrome

by

A while ago, we had an issue with SSL AnyConnect. The issue was encountered on a Cisco Firepower with ASA image (IOS 9.13) and for some reason it only shows up when using Chrome. Any other browser didn’t seem to have this issue; we’ve tested Firefox and Internet Explorer.

The issue

We couldn’t view the normal AnyConnect page. Instead, the page was displayed as:

<html><script>document.location.replace(‘/+CSCOE+/logon.html?tgroup=GROUP’)</script></html>

However, if you paste the URI “/+CSCOE+/logon.html?tgroup=GROUP” manually behind the URL, you will get the correct page.

The solution

The solution was to disable HTTP headers within the webvpn. For this you need to use the CLI. The commands used to resolve this are shown below.

FIREWALL# Configure terminal
FIREWALL(config)# Webvpn
FIREWALL(config-webvpn)# No http-headers
FIREWALL(config-webvpn)#

Afterwards you can see that the page will redirect as usual.

The hidden commands of WSA/SMA

by

Upon troubleshooting several of the WSA and SMA issues, I found out that Cisco has implemented a couple of neat “hidden commands”. Of course these won’t be shown when you tab the command, so please use them wisely.

I’ll update this list when I discovered another.

Alert_timeout

This command is used to alter the time before an alert is sent when a WSA cannot be reached by the SMA. By default, this is set to 360 minutes, but can be altered.

SMA > reportingconfig

Reporting service status: Centralized Email Reporting is disabled.
Reporting service status: Centralized Web Reporting is enabled. (Show usernames in reports.)

Choose the operation you want to perform:
– SETUP – Enable Centralized Reporting for this management appliance.
– DOMAIN – Configure domain report settings.
[]> alert_timeout

An alert will be sent if reporting data has not been fetched
from an appliance after 360 minutes.
Would you like timeout alerts to be enabled? [Y]>

After how many minutes should an alert be sent?
[360]>

Choose the operation you want to perform:
– SETUP – Enable Centralized Reporting for this management appliance.
– DOMAIN – Configure domain report settings.

You want to alter these settings if you didn’t (or couldn’t) set up proper monitoring (so you will get an alert when one of your WSA’s stopped responding), or if your WSA is down for more than 6 hours (for example, if your company only works 8 hours a day and you decide to shut the box down for the remaining hours to save on energy).

You can alter the alert timeout setting in our SMA under reportingconfig as you can see in the command section above.

The minimum value is 20 minutes and there is no maximum value.

Ipcheck

WSA/SMA> ipcheck

This command will display all of the information about the WSA or SMA. Here you can find:

  • Ipcheck revision
  • Date
  • Model
  • Platform
  • Version
  • Build date
  • Install date
  • Burn-in date
  • Serial no.
  • Bios version
  • RAID version
  • RAID status
  • RAID Type
  • RAID Chunk
  • BMC Version
  • Misc Disk information
  • RAM information
  • NIC information
  • PS information
  • Information about keys.

You should use this command if you need to get a quick overview of the status of your device. For example, this is the only place I found information about the power supply. It also contains the mac addresses of all interfaces, so you don’t have to detail each interface.

Most of the information can be found using the regular commands. However, it does include data that isn’t shown when you use them. Most of this information is currently implemented in the command:

WSA/SMA> version

Localhosts

In some cases, you need to add an A-record. Like when you’re unable to use your companies DNS and you have split DNS configured. You can configure this by using the localhost command.

WSA> dnsconfig
Currently using the local DNS cache servers:
1. Priority: 0 8.8.8.8 Choose the operation you want to perform:
– NEW – Add a new server.
– EDIT – Edit a server.
– DELETE – Remove a server.
– SETUP – Configure general settings.
[]> localhosts

Local IP to Host mappings:

Choose the operation you want to perform:
– NEW – Add new local IP to host mapping.
– DELETE – Delete an existing mapping.
[]>new

Enter the IP address of the host you are adding.
[]> <IP>

Enter the canonical host name and any additional aliases (separate values with
spaces)
[]> <hostname>


Local IP to Host mappings:
1. <IP> <hostname>


Choose the operation you want to perform:
– NEW – Add new local IP to host mapping.
– DELETE – Delete an existing mapping.
[]>

So basically, this is equal to the host file on any other system. Do not forget to commit the data at the end, as this is mandatory to activate the configuration.

Our first start!

by

So our dear readers,

Thank you for visiting our blog page! We will try to update this fairly regular (when ever we feel like it…..but at least once a month). As we are setting things up, please be patient with us :).

So we’ll be posting about everything that we come across. Most likely it’ll be network related, as we both work as network consultants/engineers.

For more information about “us”, please visit the “about us” page!

Much of love,

Pieter and Mirjam