The Internet with all it’s glory also opened a gateway to our homes for the predators. Following the news you read almost weekly about police shutting down large pedophile groups, and that’s a good thing. Law enforcement units are able to hunt them down using the networks. But just as the good guys use the networks to find them, the bad guys use the networks to share their sick and twisted materials.

How do we protect our children from this?

I know the most effective ways are to, from a young age, teach them how to behave in social medias etc. But does it protect them enough. I don’t think so!

If you work as a systems administrator and have the privilege of watching firewall logs you’ll know what I know. Even if there is a company policy saying you can’t do this or can’t do that, people will still do it if you don’t prevent it. And you need to remember these are adults, so do we expect our children to follow these rules without ever crossing lines. I hope your not that blind, because they will.

So how do we protect them, the most secure way might be to sit the sessions with them, but that’s never going to work. My daughter is only 6 months so I don’t expect to know everything yet but I’m guessing someone with a teenage daughter trying to sit with them while they chat with their friends would hear a lot of *unfriendly* words. Correct me if I’m wrong.

The same goes to using spy software, not to mention in some countries it’s illegal.

There are also many devices children use. They use cell phones, computers, PSP, MP3 players, Nintendo’s, Playstation’s, Xboxes and many more. Most of them able to connect to the internet.

Using proxy services and firewalls

We can block access to certain sites or allow access to only certain sites using proxies. And blocking every port and protocol except the ones needed for the proxy will effectively shut down any attempts made to chat with software like MSN, ICQ etc. But doing something like that do we also restrict our children from learning? Where does the line between security and paranoia go? Also I don’t expect every parent out there to sit at home and configure proxy services and firewalls. It’s just to hard for the masses.

Apple OS X does include really easy to setup services to some protection. Like blocking adult sites, allowing use of only a few software’s, usage time and bedtime. This is a great idea but at the same time it does need configuration. But unlike firewalls and proxies, OS X is like any Apple product easy to use.

Here you can see some of the settings.

If you know of software’s like this for other platforms like Microsoft Windows, Linux, Symbian, Windows Mobile, iPhone OS, Android etc let me know. I’ll try to test as many as I can and post the test results on this blog in a future post.

Trust your children

Should we just trust them to make the right decision when confronted with a choice? Yes and no is my answer. There is no way we can ever protect our children from everything bad out there. We should also let them do their own mistakes. As we did when we were young.

We do need to follow closely on behavior and patterns since we have the web working against us. And we need to know what’s going on by *knowing* our children. Not by spying on them! Create a relationship based on trust and teach them how to behave online just as you teach them how to behave in real life. The web isn’t that different from the real life. I’m guessing the hardest part is to get your child to trust you enough to be open about what’s going on in his/her life. And internet or not, that’s called parenting.

Are you a parent? Have you been thinking about this? Please comment. How did you solve the problem, or do you trust your child to make the right decision?

Configure Active Directory account

First we need to make sure the user will be able to connect to the SSTP VPN gateway. I have a test user called Sally Sales, and yes she works in the Sales department. So I use ADUC (Active Directory Users and Computers) to modify her account. She needs to have permissions to use Dial In even if she really isn’t dialing in.

So select the users properties and on the Dial In tab change Network Access Permission from Control access trough NPS Network Policy to Allow Access. We can’t use NPS Network policies since we don’t have an Network Access Protection server, for the moment anyway. Once your done just click ok. Sally Sales is now minutes away from connecting with VPN.

Configure Vista SSTP VPN client

Next we need to take care of Sally’s laptop. Normally she could fix this herself since the vpngw.nixadmins.net is already on a public network. But in our test lab we are using the HOST file to point her the right way.

Open the command prompt on your Vista workstation using Administrative privileges. In the prompt enter

notepad.exe C:\Windows\System32\Drivers\etc\hosts

Because we don’t have a DNS on our “public” network we have to use the host file. So at the end of the file add a line 10.0.0.1 vpngw.nixadmins.net (in my case, yours might differ).

Save the file.

Create the new VPN Network connection

Now we need ( using Sally’s credentials ) to create the new network connection.  So right click on the network icon in the system tray and select Connect to a network.

Select Setup a connection or network. Select Connect to a workplace.

Click next and select Use my Internet connection (VPN).  Because this is a virtual machine with a local only network the system asks us if we want to set up a Internet connection. We already have one so we choose I’ll set up an Internet connection later.

Next are the settings for the VPN gateway. So the internet address should be your public name of the server, in my case vpngw.nixadmins.net and let’s give Destination name an clear name saying Corporate VPN connection.

We aren’t using a smartcard and for now we don’t want to share this connection either. So just click next. I also won’t type the username and password here. I’ll rather provide them at login. That’s it. The connection is now ready to use.

But at the moment it will use PPTP and we want to use SSTP. So let’s continue. Go to your network connections and select properties on the Corporate VPN Connection. Select the tab Networking and change the Type of VPN to Secure Socket Tunneling Protocoll (SSTP).

Testing the SSTP VPN connection

Now we can test our new SSTP connection. So in the system tray right click on your network icon and select connect to a network. Select the Corporate VPN Connection and supply your user credentials. ssales in my case.

Then just click connect and wait a moment for the tunnel to connect.

That’s it. Your client is now connected to your corporate headquarters.  As I have shown you in these two short articles. Supplying your users with a secure offsite connection to the corporate network isn’t a great deal of work. Anyway, these are just the basics. So I encourage you to study more about securing Windows Server and take a look at Microsoft’s documentation on the Routing and Remote Access documentation. This is a server connected on the public Internet so caution is always a good thing.

Some extra reading can be found here

• Windows Server 2003 Routing and Remote Access
• New in Windows Server 2008 Routing and Remote Access
• Securing Windows Server 2008
• Routing and remote access blog on how SSTP based VPN works

That’s it for this time. Hope to see you soon when we take a look at Windows Server 2008’s capabilities in providing Network Access Protection (NAP). But that’s a story for another day.

Feel free to comment and provide me with feedback if you find this two part guide useful.

• Windows Server 2008 Enterprise running HEL-DC1
  • AD DS
  • DHCP
  • DNS
  • AD CS ( Certificate Services Enterprise CA)
• Windows Server 2008 Enterprise running HEL-NAT
  • 2 network interfaces – External and internal
• Windows Vista Business Edition
  • Service Pack 2

If you don’t have access to Microsoft Volume Licensing, a Technet Subscription or a MSDN Subscription you can download the trial versions of the systems above, they are free and you can use them for 180 days. So you’ll have more than enough time to complete this lab. Our setup will look as figure 1 shows.

Figure 1

As you can see we are using private IP:s only and we have not deployed a DNS server on our private little internet because the easier way in a small lab like this is to use the Windows host file.

The ip addresses assigned are as follows,

• hel-dc1 192.168.0.1/24
• hel-cli1 10.0.0.150/8
• vpngw
• Internal Network 192.168.0.254/24
• External Network 10.0.0.1/8

All machines are part of the domain. So before you move the hel-cli1 “laptop” out of the 192.168.0.0 network remember it has to be joined to the domain.

Setting up the VPN Gateway Server

So I’m depending on you to have a working Active Directory from this point on and the Domain Controller should have the Active Directory Certificate Services installed and it should be a Enterprise Certification Authority not a Standalone. Well then, let’s move on.

First of all we need to install the correct roles on our VPN Gateway server. So start up your Server Manager and select Add Roles.

Install Webb server role

To get SSTP-VPN working we need the Web server role. And we will use the IIS management console to get a certificate from the Enterprise Certification Authority (HEL-DC1 in my case). In server manager click Web Server (IIS) and add the required features.

When done select next next.

Role Services

For some reason we need to select every role service under security to be enable to get a certificate from the Enterprise CA. So select every role service under Security.

That’s it. Select next and at the Confirm Installation Selections click install and sit back and relax for a minute. Maybe even grab a cup of coffee if your system is slow enough .

Getting the web server certificate from the Enterprise CA

Next we need to get a certificate to encrypt our sessions and to identify the server. So we want the certificate name to be the same as the external DNS name of the server. In my case it’s the same as the internal DNS name. Open the Server manager again and go to Roles, Web Server, Internet Information Services Manager. Select the server name, VPNGW and select Server Certificates. In the right side Action Pane select  Create Domain Certificate. The most important field is the Common name, this is the field that identifies the server to the clients accessing it from the outside. So be sure to set the Common name to whatever your external server name is. In this case, vpngw.nixadmins.net. As I said in the beginning I’m running this in Virtual PC so I’ll use the host file to set it on the client but in a real world case this is important. Nagged enough? Ok, let’s move on.

After  clicking next you are presented with a dialog to select your Online certification Authority. Since we have our AD CS ( Active Directory Certificate Services ) running on our domain controller we just hit select and pick our Enterprise CA, the HEL-DC1.

Set the friendly name to something descriptive like SSTP Certificate since that’s what we will be using it for. Click finish and you should se the certificate in the list of server certificates.

Setting up Routing and Remote Access

The server also needs to be able to route the requests from the external to the internal network so we need the Routing and Remote Access role. In my case it also works as a router for the internal clients so they can access the external networks. Once again in Server Manager select add role and select Network Policy and Access Services.

Click next until Role Services. We won’t be using NAP quite yet, maybe in a later post if there is an demand for it, so just select the Routing and Remote Access Services.

Confirm the installation and sit back and wait.

Configuring Routing and Remote Access

We now need to activate the Routing and Remote access. In Server manger roles you’ll find the Network Policy and Access, Routing and Remote Access. As you can se it hasn’t yet been activated.

Right click Routing and Remote Access and select Configure and Enable Routing and Remote Access. I’m using this server for NAT so the internal clients use it as a gateway so I need to select Virtual Private Network (VPN) access and NAT. Click next and select your external network interface.

Set the IP Address Assignment to Automatically. This way it will use the internal DHCP server to relay the addresses.

Select No, use Routing and Remote Access to authenticate connection requests on the next page.

Finish the setup and wait for it to complete.

That’s it. Once the wizard is done you have Remote Access setup. Tomorrow we’ll go trough how to allow the client to access the network using our new SSTP VPNGW and we will set up our Windows Vista client to connect to our corporate network. Until then, I’ll answer your questions and if you have any requests on special subjects don’t be afraid to ask, I’ll do my best to create them. Se you tomorrow.

Take a look at his article http://articles.techrepublic.com.com/5100-10878_11-6089187.html

Calculating subnets

For those normal times when you’re not sitting in an exam and you’re able to use a specific calculator for this task I suggest you take a look at the following.

• Online Subnet Calculator
• IP Subnet Calculator

As with posts about calculating subnets, there are many subnet calculators out there. These two are the ones I use every time I need to calculate networks. The Online Subnet calculator is specifically good if you’re on a customers computer and don’t want to install anything while IP Subnet Calculator is something I keep installed on both my laptop and my desktops to be able to quickly check network settings if I need to.

“ASDM is unable to continue loading. Click OK to exit from ASDM.
Unconnected sockets not implemented.”

ADSM was however launching on my Windows 7 64-bit laptop so I started looking for any other difference than the OS. ADSM is a Java application so starting there was only reasonable. I ran Java JRE 1.6 update 13 in the Vista machine and 1.6 update 7 in the Windows 7 laptop.

Downgrading the Java JRE to 1.6 update 7 solved the issue and ADSM is now launching without any problems. So if you’re having trouble getting the Cisco ADSM to launch, check and possibly downgrade your Java Runtime Environment.

First of all you have to set it to always run as administrator. Go to the folder where it is installed and in the Bin folder you’ll find the OpenVPN-GUI executable. On the Compatibility tab you find Privilege Level, set it to Run this program as an Administrator

In your the parent folder find the config folder and open the config file. Add the following lines to the file.

route-method exe

route-delay 2

It’s like playing detective, like you used to do when you were a kid. For a few days now I’ve been looking at some network problems and had to rule out some firewalls. This very short article is something you can find in the documentation of your Juniper device or at Junipers website, http://www.juniper.net . So why am I writing about it? Well for some reason I find it easier to find my own writings than going trough a huge company website. It might be because of their large number of pages, articles, whitepapers etc. Anyway consider this something like a post-it for the few commands needed to do some debugging in a Juniper device.

The layout

To keep this fictional let’s say we have a network layout according to the following image. So we have two sites connected via Juniper SSG’s over internet using VPN. I’m not going into setting up the VPN, maybe a article for the future, for now let’s assume they are connected and are showing that the connection is up and running.

How a Juniper device checks a packet

To understand the flow filters and debug output we first need to take a look at how a packet makes it’s  way trough the firewall appliance. This is easy to see with a flowchart, so here it is. Click to get a larger image. As you can see there are quite a few checks before the package get’s sent out from the firewall. Let’s take a really fast look at the process.

- Sanity check, first the packet goes trough a sanity check to make sure the packet’s not corrupt.

- Session exists, check if this is an previously started session, if it is then go to check the action from the policy settings.

- Check destination, where is the packet going?

- Destination reachable? If it’s not we drop or reject the packet. If the destination is reachable we check the policy to if it’s allowed.

- Policy ok? If the packet’s not allowed we drop/reject the package. It it’s ok according to policy we move on.

- Arp query, we need to do a ARP Query to find out our way to the destination.

- Perform action according to policy, this is self explanatory.

- Add to session table, without this we couldn’t check if session exists.

So now that we know how the traffic move trough the firewall we can start looking at what’s happening when it does.

The Case

Let’s say we have a server in one of our subnet’s and the local systems administrator has problems whit it accessing the offsite DNS server. The DNS server is located in the other site. So to check if DNS traffic is going trough the VPN tunnel. If you have NSM you can do the same with it but this time I’m going to use plain old SSH access to the firewall. After you enter the prompt set up a filter to see the traffic.

set ffilter src-ip 192.168.2.250 dst-ip 192.168.1.251 dst-port 53

The command above sets flow filter to follow traffic coming from 192.168.2.250 and going to 192.168.1.251, and the destination port should be 53.

Now let’s turn on the debugging.

So what do we see here. First we see the packet passing sanity check.

packet passed sanity check.

The next line tells us that the local DNS server is indeed answering the DNS requests.

ethernet0/0:192.168.1.251/53->192.168.2.250/49788,17<Root>

The SSG also finds an existing session so the packet is handled according to the policies. No problems here so we can now go to do the same thing at the other end or start troubleshooting the DNS client offsite.

Turning of the debug

To clear the settings we type the following.

undebug all

unset ffilter

clear db

After that log out and you´re done.

Finishing words

As I said in the beginning this is a very short informational post. Nothing fancy. Just the basics. Hope you got as much out of it reading it as I got writing it.