Opportunistic TLS

We had to upgrade our mail gateway/anti-spam software on Sunday because one of our vendors requires us to use encryption when exchanging emails with them.  The easiest solution is to use opportunistic TLS, where the server will always try to connect to the other server using the TLS protocol.  If the other server supports TLS, then traffic is encrypted.  If not, then the email is sent using just regular SMTP without encryption.

This is actually the first time I’ve even heard of opportunistic TLS, I’m used to seeing S/MIME and PGP when reading about email encryption.  What I like about this is encryption/decryption is done on the server side so the users don’t have to do anything different when sending emails and we don’t have to issue a certificate to each user and manage the keys.

If you’re using Exchange Server 2007, opportunistic TLS is already enabled by default.  You can check this by entering Get-SendConnector “Send Connector Name” | Format-List in the Exchange Management Shell.  Look for the IgnoreStartTLS parameter, if it’s set to false then opportunistic TLS is enabled.

To check whether a server supports TLS, telnet to the server on port 25 and check if the server supports the STARTTLS command, for example:

telnet mail.global.frontbridge.com 25

This server supports TLS

Here’s an example of the header of an email that was delivered with TLS enabled (I modified the IP addresses and names for privacy reasons):

Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
-0400
Received: from mail.global.frontbridge.com ([65.55.88.22]) by mail.somedomain.com
([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
TLSv1/SSLv3,128bits,AES128-SHA) id 06456c96000057da for <jdoe@microsoft.com>;
Mon, 16 Mar 2009 18:05:16 -0500

Untangle 6.1 Beta Now Available

The biggest change in 6.1 is it’s now based on Debian Lenny (kernel 2.6.26).  Here’s the full changelog.  You can download the beta here.

Untangle Network Gateway

Another great open source software. 

Untangle is basically a Unified Threat Management (UTM) solution designed for SMBs (up to about 300 users, although there are people who have successfully deployed it in much bigger environments, like this one, for example, with 1600+ users).  Untangle packaged all these great open source security software together and then provided a really nice and very intuitive user interface for them simplifying installation and management.  They also have commercial add-ons and provide live support for a fee.

Here’s the product overview.

Open Source and Free

• Firewall - Just like most firewalls, nothing really special.  You can add a description to each rule (yes, I had to mention this because our current SonicWALL firewall at work doesn’t have this option!!!).
• Web Filter - 14 categories.  Uses a local database with data downloaded from URLBlacklist.com.  I asked in the forums how often it gets updated and someone mentioned he thinks it’s every 6 hours but I haven’t confirmed it.
• Spam Blocker - Uses SpamAssassin.  Gets updated every hour.
• Phish Blocker - Based on ClamAV engine and phish signature database which gets updated every hour.
• Spyware Blocker - I really like this one.  Seems to be blocking a lot of stuff.  Sometimes you’ll see websites with just a big white section somewhere where an ad used to be :).
• Virus Blocker - Based on ClamAV.  Signature gets updated every hour.
• Protocol Control - Uses “L7-Filter Netfilters to classify protocols based on OSI layer 7 data, regardless of port or port-hopping.”  Let’s say you want to block AIM, but AIM has the option use a different port, like port 80 for example, so blocking just the default AIM port on the firewall won’t work.  With Protocol Control, it doesn’t matter which port AIM is using, it can detect it based on its signature.
• Intrusion Prevention System - Uses Snort signatures.
• Attack Blocker - Blocks attacks :).  This prevents DoS attacks.
• OpenVPN - Well, just like what the name says, it uses OpenVPN.  They made it really easy to set up.  You can also control which network to give a user access to and override DNS settings.
• Untangle Reports - I love this one.  Gives you  a nice summarized and detailed report (Daily, Weekly, and Monthly).

Commercial Add-ons

• Active Directory Connector - Uses a logon script that tells the server what IP a user is using.
• Policy Manager - Lets you create multiple custom racks and assign them to certain users or IP addresses.
• Branding Manager - Lets you change the look of the block pages.
• eSoft Web Filter - A better web filter with 53 categories.  It also allows you to block https.  It’s a bit pricey though.
• Kaspersky Virus Blocker - Adds another layer of protection.
• PC Remote
• Remote Access Portal

You can deploy Untangle as a router, a transparent bridge, or a re-router.  I’ve been using it at home in router mode (virtual machine) for over a month now (I started with v5.4 and I just upgraded today to v6.0.2) and it’s great so far.  Very stable and seems to be doing its job.  You can manage everything using the web interface (Java is no longer required starting with v6.0).

We’re actually planning on using this at work to replace our old SonicWALL firewall (which we’ve been planning on replacing since last year but kept getting pushed back due to budget cuts) and this would save us thousands of dollars from buying a commercial UTM appliance.

Cisco 871 DHCP Problems

Ran into a problem last week where our vendor’s Cyclades TS100 devices couldn’t acquire an IP address from our Cisco 871 router’s DHCP service.

This was a big problem for us because we have about 70 locations using this router and all of them will have these Cyclades TS100s installed in the next two weeks.

After about two days of troubleshooting/testing and working with the vendor we finally figured out the problem. All we had to do to make it work was enabling spanning-tree portfast on the Cisco 871 ports. What gave it away was when we put a switch in between and the TS100 was able to receive an IP with that set up.

To enable spanning-tree portfast, type in these commands:

en

config t

interface faX

spanning-tree portfast

For more tips on troubleshooting DHCP problems with Cisco devices please see this website:

Troubleshooting DHCP

How to install a backup SonicWALL PRO 230 firewall

We had to do this last January and this was supposed to be a job that shouldn’t take more than an hour to complete but it took us a few hours due to the lack of documentation (our biggest issue was how to reset the firewall to factory defaults because no one knew the password for it, the person who originally configured the second firewall left a while back). SonicWALL no longer supports this product and it took us quite a bit of googling to finally find the information we needed. I made sure I documented everything we did and now I’m sharing it with you guys.

Prerequisites

• (2) SonicWALL PRO 230
• (3) Switches for the WAN/DMZ/LAN ports
• (6) CAT5 Cables for connecting the 2 firewalls to the switches
• (2) Static LAN IP addresses
• A backup of the Primary firewall’s settings
• Make sure that the Backup Firewall has not been previously configured for use (go to Tools->Restore Factory Default Settings). Also set the Password to password using the Password tab in the General section. ** If you cannot login to the backup firewall you will need to reset it to factory defaults by reloading the firmware. **

Resetting the SonicWALL PRO 230 to factory defaults by reloading the firmware (the following steps might also work with other models)

1. Turn off the firewall and unplug the power cord.
2. Use a paperclip to push the small button in front of the firewall and hold it for 15 seconds.
3. While the button is still pushed down, plug the power cord back in and turn on the firewall.
4. Wait another 15 seconds and release the button.
5. Turn off the firewall. The firmware should now be corrupted at this point.
6. Get a crossover cable and plug in one end into the LAN port of the firewall and the other end to your laptop/computer.
7. Change your laptop/computer’s IP Address to 192.168.168.200.
8. Open a web browser and go to http://192.168.168.168.
9. You should see a page asking you to upload the firmware for the SonicWALL (you can get it from SonicWALL’s website by logging in to your account). Upload the file (.bin) and the firewall will restart. Once it is back up it should now be back to factory defaults with an admin password of password.

Required Steps

1. Make sure both firewalls are off.
2. Connect both firewalls to the network.
3. Turn on the Primary Firewall and wait for diagnostics to complete.
4. Log in to the Primary Firewall (let’s pretend this IP is 192.168.0.1).
5. Click High Availability on the left
   1. High Availability Status (Primary SonicWALL):
      1. LAN IP Address: eg. 192.168.0.2 (make sure this is different from the IP you’re logged in to right now (ie. 192.168.0.1))
   2. High Availability Settings (Backup SonicWALL)
      1. Serial Number:
      2. LAN IP Adress: eg. 192.168.0.3
      3. Check Preempt Mode (to allow the Primary to take over when it comes back up)
      4. Heartbeat Interval: 5 seconds (lowest is 3)
      5. Failover Trigger Level: 3 missed heartbeats (Backup will take over if 2 heartbeats are missed)
      6. Active SonicWALL Detection Time: 0 seconds
6. Click Update.
7. Turn on the Backup Firewall (the Primary Firewall will detect its presence and synchronizes the settings).
8. Check the Primary Firewall log for a High Availability confirmation message.
9. Log in to the Backup Firewall (192.168.0.3) to confirm that it is the backup.

Testing the Configuration

• Turn off Primary and see if the Backup picks up.
• Turn Primary back on and see if it will take over.
• Make a note on how long it took to pick up and also check for network interruptions (it should pick up instantly).

Notes

• If everything is working, the Primary will be in active mode, and the backup will be in idle mode.
• When the Primary goes down, the backup will switch to active mode.
• When the backup takes over, it will have all the settings of the Primary including the Network settings so there is no need to change anything.
• The IP 192.168.0.1 will still be accessible to access the firewall that is currently active.