Security 101: Secure Connections

[moviefan 184]

Even a conventional DMZ firewall sandwich is designed to have multiple firewalls from different vendors securing the DMZ from the public Internet and the internal network from the DMZ and the Public Internet.

 

I disagree with this statement.

 

I work with MANY fortune 500 and fortune 100 clients on their security.

 

I do not know of a SINGLE enterprise who is using "multiple firewalls from different vendors" at their perimeter unless you are talking about a dual vendor strategy from procurement.

 

Multi vendor FW management is a nightmare, even if you have a Tufin, Firemon, Algosec solution.

 

Added to it, setting up IPS, and honey-pot systems through out the concentric wallled off systems aid in detection of attack.

 

 

IPS is included in every NGFW solution these days.  And honeypots are pretty much useless.  Although proper threat deception tech (Javelin, Guardicore) can be helpful for breach scenarios.

[Tur0k 143]

I disagree with this statement.

 

I work with MANY fortune 500 and fortune 100 clients on their security.

 

I do not know of a SINGLE enterprise who is using "multiple firewalls from different vendors" at their perimeter unless you are talking about a dual vendor strategy from procurement.

 

Multi vendor FW management is a nightmare, even if you have a Tufin, Firemon, Algosec solution.

Fair, I have been asked to do it a few times and noted that management is generally a nightmare. I then force department management to pay for oursourcong the equipment I can't manage.

 

 

IPS is included in every NGFW solution these days.

Agreed, the entire industry has been moving to a unified solution for a while, the firepower equipment we have at work do a phenomenal job for us. Before that the company I work for had legacy ASA 5520s. They worked as well but after seeing the new feature sets are just FWs.

 

And honeypots are pretty much useless. Although proper threat deception tech (Javelin, Guardicore) can be helpful for breach scenarios.

I can not say that I have used either of your solutions, and will look further into them.

 

 

 

Sent from my iPhone using Tapatalk

Edited January 13, 2018 by Tur0k

[Swynol 375]

I disagree with this statement.

 

I work with MANY fortune 500 and fortune 100 clients on their security.

 

I do not know of a SINGLE enterprise who is using "multiple firewalls from different vendors" at their perimeter unless you are talking about a dual vendor strategy from procurement.

 

Multi vendor FW management is a nightmare, even if you have a Tufin, Firemon, Algosec solution.

 

 

IPS is included in every NGFW solution these days.  And honeypots are pretty much useless.  Although proper threat deception tech (Javelin, Guardicore) can be helpful for breach scenarios.

 

i work for the NHS in the UK we use a multi vendor, multi firewall setup. because of the geographical size of our network our class A IP range is divided into massive subnets each with a firewall, then each of those subnets is broken down again multiple times again each with its own completely separate firewall. yes its a nightmare to manage. personally i can update 2 levels of firewall, but any higher up than that i have to submit forms to 3 other 'organisations'. if its a routing request then its another form to our dedicated line contractor. it can take a month or so to get a port opened...

[moviefan 184]

i work for the NHS in the UK we use a multi vendor, multi firewall setup. because of the geographical size of our network our class A IP range is divided into massive subnets each with a firewall, then each of those subnets is broken down again multiple times again each with its own completely separate firewall. yes its a nightmare to manage. personally i can update 2 levels of firewall, but any higher up than that i have to submit forms to 3 other 'organisations'. if its a routing request then its another form to our dedicated line contractor. it can take a month or so to get a port opened...

 

Thanks for the anecdote.  Interesting setup.

 

Lol @ month to get a port opened.

 

I've worked with energy companies that struggle with similar challenges although not as bas as needing a month.  One of them NATs everything like five times because they believe this to be security through obfuscation.  As far as I can tell, all it does is make troubleshooting any problem ten times harder.

[Swynol 375]

ye its a interesting setup. we use something called PSBA, its a network for the entire NHS. like a big LAN. so its fairly reasonable to expect each county/organisation to have their own firewalling even inside that LAN. Imagine having 3 large companies which each own 10, 15 or 20 other companies and each of those companies own 5, 10, 15 smaller Companies. that's what its like.

[Fratopolis 62]

Ok so people are looking for an a no brainer way to do SSL

 

If you are willing to buy a new router some will generate a Let's Encrypt Cert for you and apply it to your router and make itself available for export to put in your emby server.

 

May I suggest the Asus RT-AC88U

 

Other features: it has 8x1gig lan ports, Can enable three VPN servers simultaneously PPTP, OpenVPN, and IPSec VPN, Has Alexa Support if thats your thing, It's own cloud file server, Parental controls better than most i've seen on consumer routers, and a crap ton of other features. And the New AIMesh system works fantastic (seemless wireless handoff from one router to another)

 

Any others questions just let me know.

 

[horstepipe 356]

hey guys, very interesting thread!

I'm also thinking about tightening up the security of my Emby server.

I'm having 2 methods in mind:

a ) Setting up a VPN-Server and make Emby server only accessible local

b ) rolling out client certificates

 

a ) is it possible to setup openvpn in a way, that only the traffic to the Emby server goes through the VPN, so that the users user their normal gateway for everything else? Would be important that this can be setup on serverside, so the clients can't mess something up :-)

 

b ) I just saw that option in the Emby for Kodi client. Can somebody point me in the right direction on how to setup client certificates when using Emby Server on a VPS behind cloudflare?

 

Best regards

Edited January 14, 2018 by horstepipe

[moviefan 184]

Emby server doesn't have an option to require client side certificates.

 

You would need to do this in a reverse proxy or cloudflare setup.

[Fratopolis 62]

a ) is it possible to setup openvpn in a way, that only the traffic to the Emby server goes through the VPN, so that the users user their normal gateway for everything else? Would be important that this can be setup on serverside, so the clients can't mess something up :-)

 

Set OpenVPN to TUN mode not TAP and make sure to set in the options to use "Local network only"

This will keep the clients internet traffic on their end and only route what you want. Make sure you set a static IP for your emby server and point clients to that.

Edited January 15, 2018 by Fratopolis

[Tur0k 143]

Ok so people are looking for an a no brainer way to do SSL

 

If you are willing to buy a new router some will generate a Let's Encrypt Cert for you and apply it to your router and make itself available for export to put in your emby server.

 

May I suggest the Asus RT-AC88U

 

Other features: it has 8x1gig lan ports, Can enable three VPN servers simultaneously PPTP, OpenVPN, and IPSec VPN, Has Alexa Support if thats your thing, It's own cloud file server, Parental controls better than most i've seen on consumer routers, and a crap ton of other features. And the New AIMesh system works fantastic (seemless wireless handoff from one router to another)

 

Any others questions just let me know.

 

Does it have an API and remote terminal so the export and re-issue can be automated?

 

 

Sent from my iPhone using Tapatalk

[Fratopolis 62]

Does it have an API and remote terminal so the export and re-issue can be automated?

 

 

Sent from my iPhone using Tapatalk

 

explain? the let's encrypt cert is auto renewed, it will do this by itself before it expires. 

 

I am assuming you are asking is there an api to export the cert from the router. That I am not sure.

 

But you could ssh to the router then convert the two pem files with this command exactly (openssl pkcs12 -export -out /etc/cert.pfx -inkey /etc/key.pem -in /etc/cert.pem -password pass:YOURECERTPASSWORDHERE)

 

I haven't automated the export to emby yet. I will later.

 

 

Basically for beginners who want to do this would have to export the auto renewed cert once every three months by clicking the export.

then convert the files using a site like this https://www.rapidsslonline.com/ssl-tools/ssl-converter.php

then put the file you get from the site into emby.

 

takes about i don't know maybe 60 seconds once every three months.

Edited January 15, 2018 by Fratopolis

[Tur0k 143]

explain? the let's encrypt cert is auto renewed, it will do this by itself before it expires.

 

I am assuming you are asking is there an api to export the cert from the router. That I am not sure.

 

But you could ssh to the router then convert the two pem files with this command exactly (openssl pkcs12 -export -out /etc/cert.pfx -inkey /etc/key.pem -in /etc/cert.pem -password pass:YOURECERTPASSWORDHERE)

 

I haven't automated the export to emby yet. I will later.

 

 

Basically for beginners who want to do this would have to export the auto renewed cert once every three months by clicking the export.

then convert the files using a site like this https://www.rapidsslonline.com/ssl-tools/ssl-converter.php

then put the file you get from the site into emby.

 

takes about i don't know maybe 60 seconds once every three months.

If this is possible then you could script the export to run after the the certificate is re-issued, write the file to the appropriate location and then proc a local script on the server to run an OpenSSL script to convert the file and restart the Emby web service. That would be pretty damn close to the level of automation I do on a PFsense firewall.

 

 

Sent from my iPhone using Tapatalk

Edited January 15, 2018 by Tur0k

[Fratopolis 62]

If this is possible then you could script the export to run after the the certificate is re-issued, write the file to the appropriate location and then proc a local script on the server to run an OpenSSL script to convert the file and restart the Emby web service. That would be pretty damn close to the level of automation I do on a PFsense firewall.

 

 

Sent from my iPhone using Tapatalk

The router itself can convert the files to pfx as it has openssl, hense the command I listed. I suppose you could add a cron job to automatically convert monthly. I'm sure it can be done.

 

http://demoui.asus.com - They haven't updated the demo to the SSL Let's Encrypt version but here it the demo so you can get a feel for it.

 

I have the RT-AC88U, and just recently bought from amazon the Tmobile branded ASUS Router on the cheap TM-AC1900 and converted it to an RT-AC68U following the guides online (the rt-ac68u model does not have the let's encrypt function only the top end models do)

https://www.amazon.com/Wireless-AC1900-Dual-Band-AiProtection-Certified-Refurbished/dp/B075GYWPCJ/ref=sr_1_1?ie=UTF8&qid=1515991675&sr=8-1&keywords=tm-ac1900

Edited January 15, 2018 by Fratopolis

[adrianwi 237]

Does it allow you to create multiple certificates?

[horstepipe 356]

Emby server doesn't have an option to require client side certificates.

 

You would need to do this in a reverse proxy or cloudflare setup.

 

So why is there an option for it in Emby for Kodi settings @@Angelblue05?

 

Looks like Cloudflare provides client certs only for business customers for now, see:

https://blog.cloudflare.com/introducing-tls-client-auth/

 

So last option would be to setup an additional reverse proxy like nginx. I'm wondering if setting up client certs in nginx or similar would work when Cloudflare is being used in front of it?

 

Best regards

[Fratopolis 62]

Does it allow you to create multiple certificates?

explain create multiple certs? was this question for me adrianwi?

[Tur0k 143]

So why is there an option for it in Emby for Kodi settings @@Angelblue05?

 

Looks like Cloudflare provides client certs only for business customers for now, see:

https://blog.cloudflare.com/introducing-tls-client-auth/

 

So last option would be to setup an additional reverse proxy like nginx. I'm wondering if setting up client certs in nginx or similar would work when Cloudflare is being used in front of it?

 

Best regards

If you are going to implement an RP and stand up a private CA for client certificates, I would recommend only using cloudflare for their DDOS protection.

 

Note that implementing client certificates may not be easy. Specifically, how they will work in the Emby app/Emby for kodi addon and whether you can load them on smart devices.

 

 

Sent from my iPhone using Tapatalk

[adrianwi 237]

explain create multiple certs? was this question for me adrianwi?

Sorry and yes! I was just interested if the router let you create multiple certificates for different domains/sub-domains, although the more I’ve thought about it I’m not sure how it would handle them even if it could.

[horstepipe 356]

If you are going to implement an RP and stand up a private CA for client certificates, I would recommend only using cloudflare for their DDOS protection.

Note that implementing client certificates may not be easy. Specifically, how they will work in the Emby app/Emby for kodi addon and whether you can load them on smart devices.

Sent from my iPhone using Tapatalk

Thanks

Could you please explain why you’d use Cloudflare only for DDOS-protection in this case?

 

As we’re only using Kodi (where you can select a client certificate in Emby for Kodi settings), smart devices wouldn’t be a problem here, would they?

 

Best regards

[Fratopolis 62]

Sorry and yes! I was just interested if the router let you create multiple certificates for different domains/sub-domains, although the more I’ve thought about it I’m not sure how it would handle them even if it could.

 

Here is the list from the interface. I am guessing though you are asking if it will support multiple names like xxxxx1.com,xxxxx2.com.  That it does not, but if you are good enough in scripting you could possibly create a cron job that changes the ddns service via command line once every three months and initiate a renew then next line after that would copy the cert as a different name then finally the script changes back to the original ddns and renews the original, but I am not sure if the router support ddns change via command or if it's possible at all. Never tried but this did give me an idea to try it. You'd have to research that. 

 

How many domains do you have lol. Guessing this is not a home project.

 

[Tur0k 143]

Thanks

Could you please explain why you’d use Cloudflare only for DDOS-protection in this case?

 

As we’re only using Kodi (where you can select a client certificate in Emby for Kodi settings), smart devices wouldn’t be a problem here, would they?

 

Best regards

I won’t lie, I am not a fan of cloud hosted services, I avoid them like the plague. That is my preference and inherent distrust of using someone else’s servers. I will admit it is an appropriate tool to address a few situations. HA, world spaning services, and minimizing the need for maintaining an organization’s own infrastructure. Cloudflare hosts a few different product offerings. In their free config you should get the DDOS protection, and ssl config between your clients on the public Internet and your cloudflare environment.

 

In this case cloudflare’s product offering of mitigating the threat from DDOS attacks. Some also feel that keeping their home’s public IP addresses off public DNS lists adds a measure of protection through obscurity.

 

The only thing you’ll have trouble doing at home that cloudflare offers is the DDOS mitigation.

 

I guess you could also use their SSL certificate between the public Internet client and your cloudflare service.

 

You will need to ensure that you are properly forwarding the public source IP address of clients and then work out how the hand off of the client certificate will be handled with the cloudflare product to the client certificate authentication on your local RP.

 

Sent from my iPhone using Tapatalk

Edited January 16, 2018 by Tur0k

[Tur0k 143]

Sorry and yes! I was just interested if the router let you create multiple certificates for different domains/sub-domains, although the more I’ve thought about it I’m not sure how it would handle them even if it could.

In PFsense you have packages (these are secondary addon applications) for DDNS, let’s Encrypt ACME certificates, IDS, private CA features, VPN, RADIUS server, network syslog, reverse proxy, ad and Malicious site DNS blocking (similar to Pi-hole), malicious IP blocking, world region IP blocking, web filtering and network level AV. Additionally PFsense has all the features of a conventional firewall: IPv4/6 Support, DNS, DHCP, support for VLANS, Routing features, firewall features, even WiFi AP capability, etc. the only thing I have found that it can’t do is actively change QoS on incoming or outgoing packets. Though I figured out how to do this in the underlying OS. It is literally a Batman utility belt for network geeks.

 

In PFsense you can manage as many dynamic domains as needed, and the acme client can handle Let’s Encrypt ssl certificates from multiple domains and subdomains. Though I will note PFsense has a bit of a learning barrier and increased initial cost due to purchasing a full PC to run it on.

 

 

Sent from my iPhone using Tapatalk

Edited January 16, 2018 by Tur0k

[Tur0k 143]

Thanks

Could you please explain why you’d use Cloudflare only for DDOS-protection in this case?

 

As we’re only using Kodi (where you can select a client certificate in Emby for Kodi settings), smart devices wouldn’t be a problem here, would they?

 

Best regards

I didn’t know that the Emby for kodi addon had a client cert field. That is pretty sweet. Honestly, I haven’t had time to test client certificates on my reverse proxy yet. Browser access should work with client certificates. I hope that I can get the client certificate loaded to the certificate store on the smart devices we use and Emby Theatre and Emby app just works but I doubt it. In the event it doesn’t work I would likely put in a request for the feature as for me this would mitigate a good portion of the risk associated with allowing my Emby server to be accessible to the public Internet.

 

 

Sent from my iPhone using Tapatalk

Edited January 16, 2018 by Tur0k

[adrianwi 237]

 

How many domains do you have lol. Guessing this is not a home project.

 

 

 

It's in my home, but it's probably more of a small business setup

 

I was thinking about a new router to replace my Apple Airport Extreme, but need to do some wider research.  I run various external services (VPN, WordPress, ownCloud, emby, calibre) from a FreeNAS box (using a variety of jails and VMs).  These are all accessed through a Jail running an NGINX reverse proxy and certbot to handle the SSL certificates.  It works OK and I have awstats setup to give me some ideas of what traffic is coming in, although I'd like a little more visibility and control.  Perhaps I need to investigate pfsense a little more.

[Tur0k 143]

It's in my home, but it's probably more of a small business setup

 

I was thinking about a new router to replace my Apple Airport Extreme, but need to do some wider research. I run various external services (VPN, WordPress, ownCloud, emby, calibre) from a FreeNAS box (using a variety of jails and VMs). These are all accessed through a Jail running an NGINX reverse proxy and certbot to handle the SSL certificates. It works OK and I have awstats setup to give me some ideas of what traffic is coming in, although I'd like a little more visibility and control. Perhaps I need to investigate pfsense a little more.

You can run PFSense as a vm.

 

 

Sent from my iPhone using Tapatalk