Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Category: Blogs

Categories
Blogs

ClearPass Self Signed Certificate

ClearPass Policy Manager
ClearPass Policy Manager

What are Digital Certificates?

Digital certificates are a crucial component of modern cybersecurity and online authentication. They are essentially electronic documents used to verify the identity of individuals, devices, or services on the network. Digital certificates serve several important purposes, with the primary one being the assurance of the authenticity and security of online communications and transactions.

Certificate Authorities (CAs) are entities responsible for issuing digital certificates. CAs are organized into a hierarchical structure, with Root CAs positioned at the top of the hierarchy. When a Root CA signs digital certificates, it employs its private key to create digital signatures. These signatures serve as a cryptographic seal of approval, attesting to the authenticity and integrity of the certificates being signed. The signed certificates, whether they belong to intermediate CAs or end entities, inherit the trust associated with the Root CA.

Types of CAs That Sign Digital Certificates?

Certificates can be signed by one of three types of CAs:

  • Public Certificate Authority (CA)
  • Private CA
  • Self-signed certificates.

Public CA Signed Certificates are perhaps the most familiar type of digital certificate. These certificates are issued by well-known and trusted third-party Certificate Authorities. Certificates signed by Public CAs enjoy widespread recognition and trust across the internet. Web browsers and operating systems come preloaded with the root certificates of these CAs, ensuring that users won’t encounter security warnings when visiting websites secured with these certificates. Public CA certificates work seamlessly across a vast array of devices, browsers, and platforms, ensuring a consistent and secure user experience.

Private CA Signed Certificates are generated and managed by organizations for their internal use. These CAs operate within closed environments. Private CAs provide complete control over certificate issuance and management. This makes them invaluable for securing internal network resources, services, and communications. Using Private CAs can be cost-effective, especially for organizations that require multiple certificates for various internal services. There are no ongoing per-certificate fees. The main drawback of these certificates is that the private root CA must be trusted by all devices that need to build trust relation ship using these certificates.

Self-signed certificates are precisely what the name suggests—they are generated and signed by the entity for which they are intended, without the involvement of any external CA. Self-signed certificates are free to create and use, making them a budget-friendly choice for those on a tight budget. These certificates can be generated and deployed rapidly without the need for external validation, which is ideal for testing and development environments.

There are some limitations with self-signed certificates:

  • Limited Trust: Self-signed certificates are not trusted by default in most web browsers and systems. Users will often encounter security warnings when accessing services secured with self-signed certificates.
  • Security Risks: Since self-signed certificates do not undergo third-party validation, there is a higher risk of them being used maliciously or mistakenly, potentially compromising security

Follow Recommendations:

As a RADIUS server, ClearPass benefits from digital certificates for mutual authentication to ensure the security and trustworthiness of the authentication and authorization process in network environments. Mutual authentication between the RADIUS server and the client provides several crucial advantages:

  • Protection Against Impersonation: Mutual authentication using digital certificates prevents impersonation attacks. Without certificates, malicious parties could potentially impersonate either the RADIUS server or the client, leading to unauthorized access or the interception of sensitive data. Certificates verify the authenticity of both parties involved in the communication, making it significantly more difficult for attackers to impersonate them.
  • Enhanced Security: Mutual authentication significantly enhances security by requiring both the server and the client to present valid digital certificates. This means that not only does the client verify the server’s identity (as is the case with one-way authentication), but the server also verifies the client’s identity. This two-way trust ensures that only authorized and trusted parties can participate in the authentication and authorization process.
  • Protection Against Man-in-the-Middle (MITM) Attacks: Digital certificates help mitigate MITM attacks, where an attacker intercepts communications between the RADIUS server and the client. In a mutual authentication setup, an attacker would need to possess valid certificates for both the client and the server to successfully impersonate them, making MITM attacks significantly more challenging.
  • Identity Verification: Mutual authentication using digital certificates ensures that the client and the RADIUS server verify each other’s identities before proceeding with the authentication process. This adds an extra layer of assurance that the parties involved are legitimate and authorized to access the network resources.
  • Secure Key Exchange: During the mutual authentication process, the client and the RADIUS server may also exchange encryption keys securely. This is essential for establishing a secure communication channel for the exchange of sensitive data, such as usernames and passwords. Without mutual authentication, there would be a greater risk of these keys falling into the wrong hands.
  • Compliance and Security Best Practices: Many security standards and best practices recommend or require mutual authentication using digital certificates to ensure the security of network access control systems like RADIUS. This includes protocols like EAP-TLS (Extensible Authentication Protocol-Transport Layer Security), which relies on mutual authentication through certificates for secure authentication.
  • Protection of Sensitive User Data: RADIUS servers often handle sensitive user data, including usernames and passwords. Mutual authentication using digital certificates helps safeguard this sensitive information by ensuring that it is transmitted securely between trusted parties.

ClearPass Seld-Signed Certificate Renewal?

Although public or private Cas are recommended in many cases for ClearPass EAP or HTTPS services, there are cases where self-signed certificate provides some advantages like ease of generation and renewal. In this article I am explaining the steps required to renewing/issuing-a-new self-signed certificate for different ClearPass certificates:

1- Login to ClearPass Policy Manager from WebUI.

2- From the left side menu, click on administration.

3- From the “Administration” sub-menu go to Administration  Certificates  Certificate Store.

ClearPass Policy Manager

4-  From this page you can see current certificates for different usages. You can select a combination of server (if you have multiple servers in a cluster) and usage. Usage can be one of the following options in ClearPass 6.9

    1. RADIUS/EAP
    2. HTTPS(ECC)
    3. HTTPS(RSA)
    4. RadSec Server
    5. Database Server

5- Select the certificate you want to reissue/renew and verify issue and expiry dates.

6- You can export the certificate from this page, you can also view details (I suggest you capture the current details if you want the new certificate to match the current one)

7- If any certificate is about to expire, click on “Create Self-Signed Certificate”

8- Select “Server Certificate”

9-  Select the server and usage you want and fill the details (you can follow the same values as current certificate or use the values that matches your organization better). Please note:

  1. You need to provide private key password. You need to take note of this password and store it in a safe place for any future retrieval.
  2. The maximum number of days of validity is 2000 days

10- After filling all required fields, click on submit.

11- Review the new certificate. If all good click on install

12- Make sure the certificate is updated successfully. Verify new certificate details.

13- You need to repeat the same process for every certificate usage you need to renew/re-issue. You can also consider exporting and importing this same certificate to other usages.

Categories
Blogs

Check Your Cisco Software

Check Your Cisco Software

Use the Cisco Software Checker to search for Cisco Security Advisories that apply to specific software releases of the following products: Cisco ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS and NX-OS in ACI Mode.

To use the tool, select a product, platform (as required) and one or more releases, enter the output of the show version command, or upload a text file that lists specific releases. Then narrow the check to certain advisories, if desired.

The availability of security fixes after the End of Sale is defined in the product’s End-of-Sale announcement, as explained in the Cisco End-of-Life Policy. Additional information about Cisco software updates, vulnerability rating and scoring is available in the Cisco Security Vulnerability Policy.

This tool does not provide information about Cisco IOS XR Software or interim software builds. Also note that for Cisco ASA, FMC, FTD and FXOS Software, the tool only contains vulnerability information for Cisco Security Advisories first published from January 2022 onward, and for NX-OS Software and NX-OS Software in ACI Mode from July 2019 onward.

To find vulnerabilities using the Cisco Software Checker, follow these steps:

Access the Cisco Software Checker:

Visit the Cisco Software Checker web page. You can find this tool on Cisco’s official website or by searching for “Cisco Software Checker” in your preferred search engine.

https://sec.cloudapps.cisco.com/security/center/softwarechecker.x

Provide Software Information:

Enter the details of the Cisco software version you want to check for vulnerabilities. This typically includes the software name, version number, and possibly other relevant information

Select a Method

  1. Search By Release
  2. Select a Cisco Operating System (In this tab you can select your device)

      3. Select FTD platform (in this tab you can select your device model)

     4.Select one or more FTD releases (In this tab you can select current OS version)

You can select more than one OS version too.

Run the Continue:

Click the ” Continue “button to initiate the vulnerability check. You can check/uncheck Cisco Security impact rating, like All, Critical, High, Medium etc.

Run the Continue

Click the ” Continue “button to initiate the vulnerability check

Review the Results:

The tool will generate a report that indicates whether the software version you entered is vulnerable to any known security vulnerabilities. The report may include details about the vulnerabilities, their severity, and potential impact.

In this report, we can see all impacts of Cisco FTD 2100 Series software release 7.0.2 and workaround/fixes as well.

Follow Recommendations:

For any identified vulnerabilities, the tool will provide recommendations on how to address the issues. These recommendations may include upgrading to a patched version, applying workarounds, or implementing other security measures.

Select any Title and you’ll get more information about that BU

•  Summary
• Affected Products
• Vulnerable Products
• Determine the Software Configuration
• Workarounds
• Fixed Software

Additional Information:

The tool may provide links to relevant Cisco Security Advisories or other documentation for further information about the vulnerabilities and how to mitigate them.

Take Action:

Based on the results and recommendations, take appropriate action to address the vulnerabilities. This may involve updating your software to a non-vulnerable version, applying patches, or implementing other security measures.

Remember that the Cisco Software Checker is designed to help you identify vulnerabilities in known software versions based on information provided by Cisco. It’s important to regularly check for updates and follow Cisco’s security advisories to stay informed about the latest vulnerabilities and recommended actions. Additionally, consider implementing a comprehensive security strategy that includes regular patching, network segmentation, intrusion detection, and incident response planning to enhance your overall network security.

Categories
Blogs

PKI – Public Key infrastructure

Public Key infrastructure

1. How you can make it healthier and safe

2. How to make it efficient

3. If we do PKI then what best practice should we move on with

What is PKI (public key infrastructure)?

PKI (public key infrastructure) is the underlying framework that enables entities -- users and servers -- to securely exchange information using digital certificates. The entities that facilitate and use PKI typically involve general internet users, web clients or browsers, and company servers -- though this can extend to other virtual machines (VMs) as well.

The word infrastructure describes PKIs since it does not refer to one single physical entity. Instead, it refers to the components used to encrypt data and authenticate digital certificates. These components include the hardware, software, policies, procedures, and entities needed to safely distribute, verify and revoke certificates.

Public key infrastructure (PKI) is the well-established protocol for organizations that need to secure distributed points of communication, such as browsers and IoT and mobile devices. For device manufacturers and application developers, revenue security depends on creating a highly secure ecosystem that ensures regulatory compliance and consumer trust.

The security needs of networks and the infrastructure protecting them change over time in response to new threats and advances in technology. With tens of billions of IoT devices already in operation, the potential attack vectors for hackers to steal data or infiltrate systems are great and growing exponentially. PKI is a vital element of IoT network security, provisioning unique device identities, bolstering authentication protocols, and enabling trusted communication channels between servers and devices. However, not all implementations follow PKI security best practices, resulting in flawed and vulnerable systems.

in technical terms, PKI is a two-key asymmetric cryptosystem that supports various information technology (IT) systems in their pursuit of high-level information confidentiality, encryption and confidence. The two keys, in this case, are also the two main pieces that facilitate this secure data management: a public key and a private key.

To put PKI in the best practice possible as well efficiently I would like to use the 7-Step Method in order.

(PKI) 7-Step Method
Step – 1 (Initial PKI design)
To ensure a secure and smooth PKI setup, start by following some simple best practices. Plan Our implementation carefully from the beginning because making changes later can be difficult and costly. Understand your PKI needs well, both now and for the future. By doing this, we will avoid potential security risks and save time and resources, making your PKI experience much easier.
Step - 2 (Address the entire key and certificate

Define key and certificate security policies and protocols that address every stage of their lifecycle. Establishing a PKI may seem straightforward from the outset, but when one considers the millions of certificates that will possibly be issued, their expirations, and the security issues that would require revocation, it can quickly become very complicated. This becomes a potential security flaw, as the more complex a PKI is, the more difficult it is to track identities and revoke certificates that could be used to breach a system.

An important PKI design best practice is to plan for the entire lifecycle of certificates. By fully mapping the policies regarding the issuing, updating, monitoring, expiry, revocation, and decommissioning of certificates, all future managers of the PKI will have a clear outline of what should happen with certificates at all stages of their existence.

Step - 3 (Employ strict protections for private keys)

The cryptographic keys that are used in the PKI are the most vulnerable point of a PKI deployment and must always be protected. Hackers can use a variety of techniques to analyze and detect keys while they are in use or transit. Once in control of these keys, they can decrypt private data or pose as authenticated users to access systems. Within this context another PKI security best practice is to always use hardware security modules (HSMs), where possible, to store keys and perform cryptographic operations.

If you need to provision older devices without a secure update mechanism, which are already in the field, make sure to use white-box cryptography so that keys are not exposed in the clear during the provisioning process.
Step - 4 (Conduct regular certificate authority audits)
Throughout a PKI deployment, regular checks should be performed to ensure that the Certificate Policy and Certificate Practice Statements (CP/CPS) are being implemented and adhered to. Even for internal deployments, it is still a PKI design best practice to create audit trails that can be easily accessed and monitored. This ensures compliance with security policies and with the desired assurance level of the organization.
Step - 5 (Protect the roots)
The root CA is the master key that underpins the entire PKI. If it is compromised, every certificate issued is invalid and would have to be revoked and reissued. PKI deployment best practices dictate that the root CA remains strictly protected and is never published online. The initiation of a PKI should begin with a root signing ceremony, where the policies surrounding the root are established. These policies should cover the root’s chain of custody, where the root is stored, and how it’s scripted.
Unfortunately, attacks on PKIs are not just an external issue. The private keys and other data surrounding your PKI can be extremely valuable. For that and other reasons, threats can also come from employees. There are a number of PKI deployment best practices that can be implemented to mitigate internal threats. These include using secured rooms for key and root programming that require two or more security IDs to access, and using a distributed security model that ensures there is no single point of responsibility that can be compromised.

Issuing certificates and provisioning keys and identities as PKI security best practices are still only one step in running a secure PKI. The ongoing integrity must be maintained. This includes a process for revoking keys and certificates that can no longer be trusted. Certificate authorities should maintain a certificate revocation list, which contains all suspended security certificates. Communications with a device or application using a revoked certificate should be blocked. For example, an IoT device using a certificate that is no longer authorized will not be able to gain access to a server.

Creating a highly secure and trusted ecosystem for your organization’s devices or applications depends on a successful and ongoing PKI deployment that follows PKI implementation best practices. While it’s possible to develop and manage a PKI internally, it requires resources and expertise outside of many organizations’ capabilities and may not scale smoothly as production grows.

Step - 7 (Revoke compromised keys and certificates)
Intertrust PKI is a managed PKI for IoT service that is trusted across the world and already secures the identities of billions of devices. Our scalable and flexible identity provisioning and PKI management is built on PKI design best practices and utilizes industry-leading security technologies, including white-box cryptography, to ensure that your networks and organizations are secured against risks arising from distributed communication points.
Categories
Blogs

Configuring IP on Cisco Secure Firepower Threat Defense (FTD) & Adding a Secure Firepower Management Center (FMC)

Cisco Secure FTD and FMC
Cisco Secure FTD and FMC
Cisco Secure FTD and FMC

Configuring IP Cisco Secure Firepower Threat Defense (FTD) & Adding a Secure Firepower Management Center (FMC)

Cisco Secure Firepower Threat Defense (FTD) is a comprehensive security solution that combines firewall, intrusion prevention, and advanced threat protection capabilities. To effectively deploy and manage a Cisco FTD device, configuring the IP address is a critical step. This article provides a step-by-step guide on how to configure IP addresses in a Cisco Secure FTD device and its management interface, the Cisco Secure Firepower Management Center (FMC).

Step 1: Configuring IP on a Cisco FTD Device:

  • Power on the FTD Device:
  • Connect the power cable to the FTD device.
  • Plug the power cable into a power outlet.
  • Turn on the power switch on the FTD device.
  • Connect to the FTD Device:

Step 2: Connect a console cable to the FTD device and your computer:

  • Launch a terminal emulator program (e.g., PuTTY, SecureCRT).
  • Configure the terminal emulator settings to match the appropriate serial port and communication parameters (e.g., baud rate, data bits, parity, stop bits).
  • Access the FTD Device CLI:

Step 3: Open the terminal emulator program and select the appropriate serial port to which the console cable is connected.

  • Set the communication parameters as configured in the previous step.
  • Press Enter to display the FTD device login prompt.
  • Log in to the FTD Device:
  • At the login prompt, enter the default username "admin" and the default password "Admin123" (for newer versions) or "Admin123" (for older versions).

If prompted to change the default password, follow the instructions to set a new password.

Step 4: If prompted to change the default password, follow the instructions to set a new password.

configure network ipv4 manual Replace `` with the desired IP address for the management interface and `` with the appropriate subnet mask.

Step 4: Verify the configuration: Use the "show network" command to verify the IP address configuration for the management interface.

2. Configuring add manager on a FTD Device:

Step 1: Configure the FMC Manager:

Use the following command to add the FMC manager to the FTD device:

configure manager add <FMC_IP> <REGISTRATION_KEY>

Replace `<FMC_IP>` with the IP address of the FMC and `<REGISTRATION_KEY>` with the registration key provided by the FMC.

Step 2: Verify the FMC Manager Configuration:

To ensure that the FMC manager has been added successfully, enter the following command:

show managers

This command will display the FMC manager’s IP address and its status.

To add a Cisco Secure Firepower Threat Defense (FTD) device to a Secure Firepower Management Center (FMC) for centralized management and monitoring, follow these steps:

Step 1:Access the Firepower Management Center (FMC):

  • Open a web browser on a computer connected to the same network as the FMC.
  • Enter the IP address or hostname of the FMC in the browser's address bar.
  • Log in to the FMC using valid administrator credentials.

Step 2: Navigate to the Device Management Section:

After logging in to the FMC, navigate to the “Devices” section. This section is typically located in the top navigation menu.

Step 3: Add a New Device:

In the “Devices” section, click on the “Device Management” tab.Click on the “Add Device” button to initiate the process of adding a new device to the FMC.

Step 4: Enter Device Details:

  • In the "Add Device" form, enter the necessary information for the FTD device:
  • Device Name: Provide a descriptive name for the device.
  • Device Hostname or IP Address: Enter the hostname or IP address of the FTD device.
  • Device Type: Select "Firepower Threat Defense" as the device type.
  • Registration Key: Enter the registration key for the FTD device. This key is obtained from the FTD device CLI.
  • Access Policy: Select an appropriate access policy to apply to the device. If no access policies are available, create one beforehand.

Step 5: Verify Device Connection:

Click on the “Test Connectivity” button to verify the connection between the FMC and the FTD device. Ensure that the connectivity test is successful.

Step 6: Save and Apply Changes:

After verifying the device connection, click on the “Save” button to save the device configuration in the FMC.

The FMC will initiate the process of adding the FTD device to its managed devices list

Step 7: Monitor Device Registration:

Once the FMC has added the FTD device, it will start the registration process.

Monitor the “Devices” section or any notifications on the FMC for the registration status of the FTD device. The FMC will retrieve the device configurations and apply the assigned access policy to the FTD device.

Once the FTD device is successfully added to the FMC, it can be centrally managed and monitored through the FMC’s web interface. The FMC provides extensive security policy management, threat monitoring, and reporting capabilities, enabling administrators to effectively manage their network security using the FTD devices.

The FMC would take a few minutes before completing the FTD registration. You can check the status by going to the Notifications > Tasks menu on the top right side:

Configuring IP addresses in Cisco FTD devices and their management interface, the Firepower Management Center, is essential for proper network connectivity and effective device management. By following the step-by-step instructions outlined in this guide, network administrators can successfully configure IP addresses in Cisco FTD devices and configure manager as well, enabling them to monitor and secure their networks efficiently.