Product Security Announcement: Aerohive's Response to "KRACK" (Oct 16, 2017)by Sandhu on Oct 17, 2017
On Monday 16 October 2017 the US CERT published VU#228519 in response to a research paper from Mathy Vanhoef and KU Leuven titled "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2", which discussed vulnerabilities within the WPA2 standard itself. This attack has been named KRACK (Key Reinstallation AttACKs) and has its own website, at https://www.krackattacks.com/
These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. Additional research also led to the discovery of three additional vulnerabilities (not discussed in the original paper) affecting wireless supplicants supporting either the 802.11z (Extensions to Direct-Link Setup) standard or the 802.11v (Wireless Network Management) standard. The three additional vulnerabilities could also allow the reinstallation of a pairwise key, group key, or integrity group key.
The set of CVE numbers (CVE-2017-13077 thru CVE-2017-2017-13088) are broadly applicable to all vendors of wifi products, including Aerohive.
AFFECTED PRODUCTS AND VERSIONS
- Any access point running Aerohive HiveOS versions 8.1r2 and lower are affected, as are Aerohive BR100 and BR200 branch routers with integrated wifi.
- HiveManager Classic and HiveManager-NG are NOT vulnerable and are not affected.
- Aerohive switches are NOT vulnerable to this and are not affected.
- Aerohive's stand-alone applications (StudentManager, HiveSchool, etc) are not affected.
Per the paper from the researchers, the main attack is against the 4-way handshake between the client and an access point, and does not exploit access points but instead targets client devices. The issue is with the ability to replay the 3rd phase of the 4-way handshake.
Even when still running susceptible versions of HiveOS, UNLESS it is acting as a mesh point or as a client to another access point, Aerohive does not believe the integrity of an Aerohive access point or branch router can be compromised by these attacks. Aerohive branch routers and access points are not affected by these vulnerabilities when acting as a standard access point.
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.
This is a preliminary advisory. Aerohive will issue an updated and final version of this advisory with more details about the vulnerabilities and Aerohive status after 31-October 2017.
An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.
Upgrade access points to HiveOS version 8.1r2a or to HiveOS version 6.5r9, and branch routers to HiveOS version 6.7r4 as soon as they become available.
At the time of this publication, HiveOS version 8.1r2a will be available 16 October 2017, within 24 hours of the publish date of the vulnerability.
- HiveOS version 6.5r9 is in process and will be available no later than 20 October 2017.
- HiveOS version 6.7r4 is in process and will be available no later than 20 October 2017.
- AP121, AP141, AP170, BR200, AP130*, AP230*, AP320, AP340, AP330, AP350, AP370, AP390, and AP1130* customers should upgrade to HiveOS 6.5r9 when it becomes available.
- AP122, AP130*, AP150W, AP230*, AP245X, AP250, AP550, AP1130* customers should upgrade to HiveOS 8.1r2a when it becomes available.
- AP130, AP230, and AP1130 customers can choose between HiveOS 6.5r9 and HiveOS 8.1r2a.
Aerohive Connect & Selectby Sandhu on May 26, 2017
Aerohive Connect offers enterprise connectivity, cloud management, and interactive forum-based support, without increasing cost or complexity. Connect leverages Aerohive's unique distributed Wi-Fi architecture and cloud networking to increase speed, scale, and resiliency for wireless-first organizations. Connect is a great entry point for organizations that have basic connectivity needs but expect to increase network visibility, security, and other enterprise Wi-Fi features in the near future.
Seamlessly upgrade to advanced features such as application visibility, increased security, troubleshooting tools, and enhanced support services with Aerohive Select. Aerohive's advanced cloud networking solutions increase network intelligence while decreasing network complexity, available as either a public or private cloud deployment. Aerohive Select enhances the connected experience for corporate, BYOD, guest, and IoT connectivity.
Connecting Barracuda NG to Azure Gateway site to site VPN using Resource Management Portalby Sandhu on Mar 24, 2017
Public Cloud is one of the most popular topics in IT right now. Not only is securely deploying resources in Public Clouds important but the connectivity also needs to be seamless and secure.
Below is a demonstration on how you can use the site to site VPN capability of the Barracuda NG Firewall to connect to Microsoft Azure cloud using the new resource portal.
Azure Portal Side Configuration
1) Create the Virtual Network
- Navigate to the Azure portal and sign in.
- Click New and Navigate to the Marketplace and look for the Virtual Network. Locate Virtual Network Blade and then assign it to the resource manager and click on create.
- Fill in the necessary address space you want to use. The standard 172.16.0.0/16 for DMZ has been used for Azure Cloud.
- Click on Create.
2) Adding the Gateway Subnet
- Before connecting your virtual network to a gateway, you need to first create a gateway subnet for the virtual network. It's best to create a gateway subnet using a CIDR block of /28 or /27 in order to provide enough IP addresses to accommodate additional future configuration requirements.
- In the portal, navigate to the Resource Manager virtual network for which you want to create a virtual network gateway.
- In the Settings section of your VNet blade, click Subnets to expand the Subnets blade.
- On the Subnets blade, click +Gateway subnet at the top. This will open the Add subnet blade.
3) Create a Virtual Gateway
- In the portal, on the left side, click + and type "Virtual Network Gateway" in the search. Locate Virtual network gateway in the search return and click the entry. On the Virtual network gateway blade, click Create at the bottom of the blade. This opens the Create virtual network gateway blade.
- On the Create virtual network gateway blade, fill in the values for your virtual network gateway.
- Click Create and please note that it can take upto 45 minutes for it to deploy.
4) In the portal, from All resources, click +Add. In the Everything blade search box, type Local network gateway, then click to search. This will return a list. Click Local network gateway to open the blade, then click Create to open the Create local network gateway blade.
- Specify a valid public IP address for the VPN device or virtual network gateway with which you want to connect.
- If this local network represents an on-premise location, this is the public IP address of the VPN device that you want to connect to. It cannot be behind NAT and has to be reachable by Azure.
- If this local network represents another VNet, you will specify the public IP address that was assigned to the virtual network gateway for that VNet.
- Address Space refers to the address ranges for the network that this local network represents. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to.
Create The VPN Connection
5) Locate your virtual network gateway and click All settings to open the Settings blade.
6) On the Settings blade, click Connections, and then click Add at the top of the blade to open the Add connection blade. And Fill in the shared key and select the appropriate Local Network Gateway and Virtual Network Gateway.
Configuration on the Barracuda NG Side.
7) Click on VPN service in the config TAB and then choose site to site VPN. The new azure portal uses IKEv2 for IPSec.
8) Use the exact same settings in the Phase 1 and 2 for VPN connections as in the Diagram.
9) After Sending the Changes, click on Activate.
Create the rule in your NG Firewall
10) Go to Forwarding Rules and Create LAN-2-VPN rule
Now the firewall should pass traffic.
For more information visit www.securicore.ca
You can contact Amit Sandhu via the contact form with any questions.
Barracuda Vulnerability Manager for Websitesby Sandhu on Feb 03, 2017
Vulnerabilities, or security risks, are weaknesses in websites and web applications. An insecure web application can provide hackers access to confidential corporate systems and user data and other
malicious activities. Barracuda Vulnerability Manager scans your web applications based on your custom configuration settings, allowing you to automate the process to uncover
and resolve weaknesses in your websites and web applications.
Barracuda Vulnerability Manager is a web application vulnerability management solution to help businesses automatically identify, assess, and mitigate web application security risks including those categorized by the Open Web Application Security Project (OWASP) including SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and others. Once vulnerabilities are identified, you can modify and update code, or select to integrate your systems with a Barracuda Web Application Firewall to modify applicable security policy settings or configure to mitigate the reported vulnerabilities. Together with Barracuda Web Application Firewall (WAF), Barracuda Vulnerability Manager provides a comprehensive solution to identify and secure against web application vulnerabilities.
Barracuda Vulnerability Manager scans web applications, targeting the web servers to which it is pointed; it does not scan your network or infrastructure.
Initial Service Setup
- To get started with Barracuda Vulnerability Manager, log in to your Barracuda Cloud Control account.
- If you already have a Barracuda Cloud Control account, continue with Connect to the Barracuda Vulnerability Manager below.
- If you do not have an account, use the following steps to create a new account:
- If you do not have a Barracuda Cloud Control account, go to https://login.barracudanetworks.com/ and click Create a user.
- Enter your name, email address, and company name, and specify whether this is a partner account. Click Create User.
- Follow the instructions emailed to the entered email account to log in and create your Barracuda Cloud Control account.
- After submitting your new account information, the Account page displays your account name, associated privileges, and username.
- To log into the Barracuda Vulnerability Manager, continue with Step 2 below.
- Connect to the Barracuda Vulnerability Manager
- Log into https://login.barracudanetworks.com/.
- Once you are logged in, click Vulnerability Manager in the left navigation pane.
- Click Sign Up For Free.
- Enter your Phone Number, select your Country, and then enter your Postal Code.
- Read and accept the terms of service, and click Sign Up. The Active Scans page displays.
- Click New Scan to start scanning your web applications.
In the future, when you log into your Barracuda Cloud Control Account, you will automatically be able to access the Barracuda Vulnerability Manager.
- Use the steps in the article to define a scanner configuration to discover security risks in your website or website application.
- Once you are logged in and connected to the service, the Active Scans page displays. Complete the following steps to set up a website scan:
- Click New Scan; the Scanner Configuration page displays.
- Enter a name to represent the scan. For example, test site scan 1.
- Enter the URL you want to scan, for example, test.MyCompany.
- For a sample scan and report, use the following URL: test.blorpazort.com
- If the URL cannot be verified, you are prompted to enter an email address to which you have access.
- If the domain is verified, the scan can be started immediately.
- For more information, refer to Understanding Verification.
- Select each of the four tabs, described below, completing the necessary information.
- When you are satisfied with your configuration, click Start Scan.
- Once your scan gets started, it will show up in the Active Scans tab. The Barracuda Vulnerability Manager is going to scan publicly accessible web applications, regardless of where it is hosted. It can scan servers that are located on-premises, co-located, or in a public cloud. The scanner will target web servers based on your configuration.It will not scan your network or infrastructure.
When the scan is finished, you’ll see screens like this
The data returned by the scan will help you identify, assess, and mitigate web application security risks, including the following:
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Other risks identified by theOpen Web Application Security Project(OWASP)
The Barracuda Web Application Firewall (WAF) can be used to mitigate the risks identified by the Barracuda Vulnerability Manager. The WAF will create one or more security policy recommendations based on the scan report that it imports from the Vulnerability Manager. The administrator then has the option to apply the recommendations in order to mitigate the reported vulnerabilities.
Thinking about site to site connectivity with MPLS? Barracuda NG Firewall - 70% savings compared to MPLSby Sandhu on Jan 05, 2017
One of the most common questions I come across when deploying a security solution is about VPN access. From a simple two site VPN access to full mesh networks, Barracuda NG firewall is designed to scale as your network grows.
A customer recently reached out to me with a problem. They had multiple sites with video cameras and wanted to stream all their video data to a central site for compliance. Retrieving the video stream was a challenge all in itself but retrieving it securely over the WAN was another important aspect of the deployment. They were also considering MPLS as a probable solution but the sheer cost of having an MPLS network was setting back the entire project and slowing the growth of the organization.
Fortunately Barracuda has a solution. The Barracuda NG Firewall is a perfect fit due to the way it is designed. The NG firewall is designed with the idea of having a centralized management allowing a single person the ability to manage up to 500 firewalls. Barracuda control centre coupled with a special tool called GTI editor allows you to deploy multiple firewalls in a matter of minutes. Creating VPNs with various encryption parameters is just a matter of drag & dropping between sites. You can create an array of topologies ranging from hub & spoke, full mesh and on demand mesh with a few clicks. This essentially removes the requirement for an expensive MPLS network.
You can have multiple uplinks to a firewall in order to achieve link balancing and redundancy. Barracuda NG firewalls can also balance VPN traffic over these multiple WAN links using their VPN protocol called TINA. With the advent of built in WAN optimization the latency is reduced for the traffic over WAN links and thus accelerating the entire network.
Calculate your savings at