Info Sharing Blog

Friday, March 30, 2018

Microsoft Windows NLB Feature for Stateful Applications

March 30, 2018 Posted by jaacostan , ,
NLB is a software-based load balancer (Windows Feature) that resides on each member in the cluster. Load Balancing is based on number of client connection requests and the NLB algorithm does not dynamically respond to changes in the load on each cluster host (such as the CPU load or memory usage or Network Usage).
Thus, If client population is less and/or the connections produce varying loads on the server, the load balancing algorithm of Microsoft NLB is less effective.

To understand how NLB preserve the session state, first let me take you through the difference between a stateful and stateless connections:

Stateless
The application connection is said to be stateless if the server does not store any state about the client session instead the session data is saved at th client side. The server does not rely on information from earlier request.
** HTTP is a stateless connection as no session data is preserved.
** Cookies and other software’s/Addons are capable of storing session information about client and can be used with HTTP to make the connection stateful.
Note: Stateless Interactions- There is no impact/connection loss if the request is processed by different servers.

Stateful
The application connection is said to be stateful if the server store session state and data about the client session. Server rely on previous connection information (session) while processing the new connections requests.
Note: Stateful Interactions- There will be impact/connection loss if the request is processed by a different server after a session break and if the client session data is not shared between the servers.

Managing Application/Session State

Session state refers to client data that is visible to a particular client during the session duration. The server application containing the client state information must share the same with other hosts in the same cluster to prevent errors.
When an application maintains the state information of the client connection, it’s important to direct all TCP/UDP connections to the same cluster host processing the request.
In terms of application data, the data changes to the data store must be synchronized across multiple hosts in the cluster. One example is to use a backend database that is shared by all the instance of application residing across multiple cluster hosts.
To Maintain the Session State Microsoft NLB uses the Affinity Rule Options to direct all connections from a given client address or class of client addresses to the same cluster host.
Note: Client/server applications that embed session state within “cookies” or push it to a back-end database do not need client affinity to be maintained.

Client Affinity 

client affinity, NLB

NLB Offers three types of affinity configurations to preserve the session state namely; None, Single and Network (Class C). 
1.    None (No Affinity)
With this cluster option, no affinity rules are defined and client connections from any source can access any member host in the cluster. Useful for applications which does not need to store session information.
2.    Single
With this option NLB maps the clients to a specific host in the cluster based on the client’s Full IP Address. Once connection is established, the requests coming from the same client IP address always reach the same member server in the cluster.
Useful for Intranet Applications, as the clients in intranet have IP address within a narrow range. If used for Internet Applications, NLB becomes not efficient as it can span a broad IP range and also more computing overhead to the distributing algorithm. 
3.    Network (Class C)
With this option NLB associates clients to a specific host in the cluster based on the Class C {(192.0.0.1 to 223.255.255.254) /24} portion of the client IP Address. The connection from the same Class C address range always access the same member server in the cluster. This is best suited for cluster serving Internet applications.
Extended Affinity Option:
This is only available for Single and Class C Affinity options and is achieved by setting a timeout value in the filtering options. This timeout indicates that when a connection is lost/Interrupted, the cluster host keeps the client data for the specified duration of time so that if the client reconnects within the timeout duration, the client preferences/selections are still preserved.
Ex: Customer using an online shopping with products selected in the shopping cart, if the customer loss the connection and reconnects (Either due to client side issue or due to application side issue), the client can still see the selected products in the cart if the timeout value is defined.
---------------------------------------------------------------------------------------------------------------------------------
Article Author :-
Mr.Arjun Sunil
6+ year of experience in Windows Servers, Cloud & Virtualization.
Follow Arjun Sunil at his LinkedIn Here.
---------------------------------------------------------------------------------------------------------------------------------

Thursday, March 29, 2018

TLS version 1.3 is Here : A brief Overview

March 29, 2018 Posted by jaacostan ,
On 23rd March 2018, the latest version of TLS ,which is TLS 1.3 has been approved by the IETF. There are a considerable number of improvements and differences in TLS version 1.3 over 1.2. Now the developers need to implement this version in to their products and the actual roll out can be expected soon.
Right now, I'm having a Mozilla Firefox version 59.0.1 and by default the TLS1.3 is not yet enabled.
tls1.2,tls1.3,firefox tls1.3

But as per some tech forums, the browser does support TLSv1.3 though its not enabled by default. There are some tips available over internet on enabling TLSv1.3 manually but i'm not going to discuss that here.
On TLS version 1.3,one of the major improvement is the speed.

Those who need a revision on SSL handshake process, can refer to my older post.

So the handshake process in TLS1.2 have more packet exchanges.
tls1.3,tls1.2, tls1.3 wireshark
The whole handshake process in TLS 1.3 will be now concluded in just 3 exchanges. 
But basically the concept is same. Client starts with HELLO, Server responds with its HELLO. then session key exchange.The same process will remain the same for TLSv1.3 version as well but the number of round trip exchanges will be reduced to 3 by eliminating the negotiation on the kind of encryption to use. Instead, the initial connection is a statement from the client mentions what methods and modes i am going to use and server accepts it and respond, that speed up the handshake process. This also helps to eliminate the downgrade attack vector.

A few other major differences between TLS 1.2 and TLS 1.3 are mentioned below.
 1)The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms.The ciphersuite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm (including secret key length) and a hash to be used with the key derivation function and HMAC.
AEAD is the only encryption approach without any known weaknesses.AEAD suites provide strong authentication, key exchange, forward secrecy, and encryption of at least 128 bits. TLS 1.3 supports only AEAD suites. SSL labs started applying scoring penalty consideration for websites that does not having AEAD support.

2) A 0-RTT mode was added, saving a round-trip at connection setup for some application data, at the cost of certain security properties.
It means that if the client has connected to the server before, TLS 1.3 permits a zero-round trip handshake.This is done by storing secret information such as session ID of the previous sessions and using them when both parties connect with each other in future. 

3)Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.
The SSL labs has already implemented a Penalty for not using forward secrecy in its scoring system ,if the website doesn't implement PFS.

4)All handshake messages after the ServerHello are now encrypted.The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers.

Also TLSv1.3 discontinued the support for obsolete ciphers and algorithms. That list includes the following major cryptographic standards/algorithms.
  •     RC4 Steam Cipher
  •     RSA Key Transport
  •     SHA-1 Hash Function
  •     CBC Mode Ciphers
  •     MD5 Algorithm
  •     Various Diffie-Hellman groups
  •     EXPORT-strength ciphers
  •     DES
  •     3DES
You can read the complete IETF document @ https://tools.ietf.org/html/draft-ietf-tls-tls13-28

Tuesday, March 27, 2018

Facts: Facebook Deactivation vs Deletion

March 27, 2018 Posted by jaacostan , ,
So the #deletefacebook campaign has been circulating over the internet, lets analyze the impact of deactivation and deletion of Facebook account and how to perform it.

Tip : If you don't want to read this article fully, here is the direct link for account deletion : 

Ok lets start, Firstly Deactivation.

So as per FB, "Deactivating your account will disable your Profile and remove your name and photo from most things that you've shared on Facebook. Some information may still be visible to others, such as your name in their Friends list and messages that you've sent.".
Also "Your Messenger account will remain active unless you deactivate it from the Messenger app. Using Messenger will not reactivate your Facebook account. Your profile picture will still be visible in your conversations and people will still be able to search for you by name to send you a message. You will continue to appear to friends on Facebook in places where they can message you."

Pretty good idea to regain the deactivated user accounts. Like sugar craving. For most of the guys, deactivation wont work as they intended and they will re-activate the account asap. 

You can deactivate the account from the setting page -> manage account and click on Edit.
delete facebook

That will take you to the Deactivation page.
delete facebook
You can click on Deactivate you account to deactivate. 
delete facebook

Now lets see about How to delete the Facebook account,

Like having a option to Deactivate the account directly from the Settings page, FB have not provided an option to delete the account.
But there is a account deletion option, but that's only for the died ones :P.
delete facebook
 
So if we go through the learn more link form the Settings -> General , it will take you through a basic help page on deactivation and deletion related topics. From there we can browse to another help page on "How do I permanently delete my account?" and can get the link to delete_account page.

The deletion process is so hectic for this Giant technological company as it takes up to 90 days to delete the account. So sad Right?.
Also they made it clear that, when you delete your account, the posts you shared with others will remain in the FB. So your friends will still have those posts and photos that you have shared with with.
delete facebook
 delete facebook
As per FB, " It may take up to 90 days from the beginning of the deletion process to delete all of the things you've posted, like your photos, status updates or other data stored in backup systems. While we are deleting this information, it is inaccessible to other people using Facebook.
Some of the things you do on Facebook aren’t stored in your account. For example, a friend may still have messages from you even after you delete your account. That information remains after you delete your account."
Which means, once you are in FB, it is not so easy to close your account and data immediately. 
Once you entered in to the fun world of social media, there is no easy way to get out of it.
So the direct link for the account deletion is https://www.facebook.com/help/delete_account

 So think twice before putting and exposing yourself, personal data, pictures , dates, history on Sites like FB. You cant put everything on internet and claim right for privacy.

Reference Links :


Monday, March 26, 2018

Cisco ASA: Disable SSLv3 and configure TLSv1.2.

March 26, 2018 Posted by jaacostan , ,
For configuring TLS v1.2, the ASA should run software version 9.3(2) or later.
In earlier versions of ASA, TLS 1.2 is not supported.If you are running the old version, it's time to upgrade.
But before that i will show you the config prior to the change. I am running ASA version 9.6.1

asa tlsv1.2

Now ,set the server-version to tlsv1.2, though ASA supports version tlsv1.1, its always better to configure the connection to more secure. Server here in the sense, the ASA will be act as the server and the client will connect to the ASA.
    #ssl server-version tlsv1.2
set the client-version to tlsv1.2, if required.
    #ssl client-version tlsv1.2
ssl cipher command in ASA offers 5 predefined security levels and an additional custom level.
    #ssl cipher tlsv1.2 high
we can see the setting of each cipher levels using #show ssl cipher command.
asa tlsv1.2

asa tlsv1.2


Now set the DH group to 24, which is the strongest offered as of now in the ASA.
    #ssl dh-group group24

asa tlsv1.2

And that it. You can verify it by accessing the ASA/ASDM.
once again check the config using #show ssl command. 
You can see the connection will now negotiate to TLSv1.2.
asa tlsv1.2
So in Short, just four comments for the configuration.
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl dh-group group24
Note: the same can be done using ASDM .

Saturday, March 24, 2018

Add a program to the Context menu: Regedit

March 24, 2018 Posted by jaacostan , , ,
Many times, we may require to open a file using a particular program directly from the right-click context menu.
For a quick example if we want to add Notepad in the context menu, 
Process to add Open in Notepad to the context menu is detailed below :
Navigate to HKEY_CLASSES_ROOT\*\shell.
Create a new key under the Shell key. Right-click Shell and select New > Key.
Set the key name to Open In Notepad. This name is your desired text to be shown in the context menu.
Create a new key under the Open In Notepad key. Right-click Open In Notepad and select New > Key.
Set the key name to command. This setting of key is optional though.
Select the (Default) value in the command key and select Modify.
Enter notepad.exe %1 in the Value data field and click OK.

Another example, if you want to see the command prompt in the context menu,
instead of notepad.exe , you can set cmd.exe.

Now right click on any file and you should see and option.  In this example, "Open in CMD".

regedit: adding a context key


Additionally, if you want to open a folder in CMD through the context menu,
Hold the Shift key down while right-clicking.  You should see an option "Open Command Window Here" appear.

Friday, March 23, 2018

Cambridge Analytica and Information Technology Act of India: Why India needs a Stringent Data Privacy Law?

March 23, 2018 Posted by jaacostan , , ,

Last few days, the Cambridge Analytica scandal has been shaking different governments around the world. Also in the news that, CA/FB or its partners was allegedly involved in different elections in India actively.
Let’s see how practical it is to punish CA/FB/or any other organization that violates the data privacy.
Currently, data protection in India is governed by provisions of the Information Technology Act, 2008.So if the Cambridge Analytica scandal has been taken up to the court, the only way it can be dealt with is by using India's Information Technology Act.

Here is what the India’s Union Minister’s response on the Cambridge Analytica Scandal.
“Mr Mark Zuckerberg, you better note the observation of the IT Minister of India. We welcome the FB profile in India, but if any data theft of Indians is done through the collusion of Facebook's system, it shall not be tolerated. We have got stringent powers in the IT Act, and we shall use it, including to summon you in India,"

Actually India lacks Stringent Data Privacy laws like EU-DPD/GDPR.

In Reality, it means nothing because there is no way to summon Zuckerberg, assuming his company is accused of breach of privacy.
Because India doesn’t have any stringent law for data protection. There is nothing in the Indian law that currently stops intermediaries from selling profiles of their clients to whoever is willing to pay. It is known that data available with banks, mobile operators, Internet providers and several other agencies misuse the individual data. Whenever we sign up with some services on Internet (eg; social media, job portals etc), we can expect new mails/calls from some other organizations offering their services. Though they mentions all these in the Terms and Services, how many of us spend time in reading and understanding it. All will simply accept and click forward.

Also, the Ministers anger over privacy seems funny because he had once argued in the Supreme Court that there is nothing called absolute right to privacy. As per Government, the privacy “should be subject to reasonable restrictions.” Adding that the state’s concerns should override privacy rights of individuals.

In the light of recent events such as Aadhaar data misuse and now Cambridge Analytica, It is Obvious that, what India needs is stringent law and fool-proof systems to protect private data.
The entire world is preparing or already established laws for protecting their citizen data and privacy, as the Fastest growing Economy, India should step up with Stringent Data privacy laws.

Note: Many Indian Business persons took loans and left India. The Government was never able to bring them back here, and imagine how they can bring Zuckerberg under a weak IT act? Lol.


Thursday, March 22, 2018

Recovery Procedure: Alcatel-Lucent Omni-Switch not booting AOS: Going to Mini-boot prompt.

March 22, 2018 Posted by jaacostan , , , , ,
Problem: Switch not booting AOS; Going to Mini-boot prompt.

Model: Alcatel-Lucent OS6850
[Note:The same procedure might be applicable for different models of Omni-Switches, However, for this illustration, i have used OS-6850 ]

Reason: This problem may occurs due to corrupt AOS image files or misconfigured boot parameters. Hence switch cannot boot the images properly and will go to Mini-boot prompt. 

Work Around:
[Note: This zmodem procedure consumes a lot to time to finish the process.]
1.) Power off your OS6850
2.) When you switched it back on, stop it before the Miniboot (there is some counter counting down from 4). Press Enter to break.
3.) You will have the following prompt "=>"
4.) Enter "setenv baudrate 115200”. Increasing baudrate helps to increase the data transfer speed using zmodem.
5.) Enter "saveenv"
6.) Enter "boot"
7.) The switch should run now in baud rate 115200 (so you have to change your clients terminal connection as well)
8.) If the speed in Miniboot is still 9600 you have to delete the "boot.params" file and reboot the switch again (the next time when the boot.params file gets created it has 115200 as baud rate in their automatically)
9.) Assuming that your connection speed is at 115200 now and you are at the "[Miniboot]->" prompt
10.) Change into the working directory with command
[Miniboot]->cd "working"
11.) Enter the following command to start your zModem session
[Miniboot]->sysStartZmodem
12.) Select all image files you want to upload. [In my case, the switch was unable to boot because it cannot extract kernel file from K2os.img file. This differs in various scenarios.
12) Use TeraTerm software for transferring files using zmodem. 

Alcatel Lucent omniswitch AOS recovery jaacostan

13) Always upload one image file at the time as you can track better if the transfer failed
Enter [Miniboot]->sysStartZmodem and then the switch will start listening to the file. Then transfer it using Zmodem.
Alcatel Lucent omniswitch AOS recovery jaacostan
14.) Upload all the .img files to the working directory.
15.) All *.img files need to be in the working directory by now
16.) Before you reboot you have to tell the switch to run from the working directory (as it would try to load from certified as the directories are different - but in certified are no image files therefore it would fail)
[Miniboot]-> setNextRunningVersion 2
17.) Enter "reboot" to reboot your switch - it should come up with your new AOS now.
Do a "copy working certified" from the CLI now to ensure that you have the images in both directories.


SSL Handshake Explained

March 22, 2018 Posted by jaacostan ,
The setting up of a Secure SSL/TLS connection is known as the SSL handshake process. This will be performed for all the websites starts with https://.
The SSL handshake process can be explained in 6 different steps.

1.    Client Web Request - Client Hello
2.    Server Responds -  Server Hello.
3.    Client validates the Certificate
4.    Client generate and encrypt the session key
5.    Server decrypts the session key 
6.    Encrypted data exchange takes place.


1. Client Web Request - Client Hello

This is the initiation of the SSL/TLS communication. Client Sends a "Hello" message to the Server.
Basically, this Hello means, Hello, i want to set up a secure connection with you but before that let me introduce myself. I supports this version of SSL/TLS , These are the cipher Suit/protocols i support and these are the data compression methods i support.
ssl handshake jaacostan


2. Server Responds -  Server Hello.
Then the Server respond to the Client with a Server Hello. So the Server telling to the Client that, Hello, i can also understand different cipher protocols, but i will select one Cipher suite that we both can understand. Also selecting a common data compression method.
Additionally, i am sharing my certificate/public key with you.
ssl handshake jaacostan

3. Client validates the Certificate
The Client validates the certificate with its CA and proceeds to the next step.

4. Client generate and encrypt the session key

By using the data learned, the client generates a secret key knows as a "Session Key" and encrypts it with the Server's Public key.
The Encrypted message (key) is then send to the Server. Only the server can decrypt the message to get the Session key.
ssl handshake jaacostan
5. Server decrypts the session key 
The Server ,by using its Private key decrypts the message and gets the session key.
Server also informs the client that ,for all the future communication between us for this particular session ,we will be using this session key and the SSL handshake is completed.

6. Encrypted data exchange takes place.
The SSL handshake is now complete and the session begins.
The client and the server will now use the session key to encrypt and decrypt the data they send to each other and to validate its integrity.
ssl handshake jaacostan

Wednesday, March 21, 2018

Cisco ASA Firewall: Packet Flow/Mode of Operation

March 21, 2018 Posted by jaacostan , ,

Scenario : So here is a packet initiated from Inside to the Outside [ingress to egress].


1) A user who is sitting inside of the network is trying to access a website located at the Internet (outside)

2)The packet hits the inside interface (Ingress) of ASA.

3) Once the packet reached ASA, it will verify whether this is an existing connection by checking its internal connection table. If it is an existing connection, the ACL check (step 4) will be bypassed and move to step 5.

ASA will check for the TCP flag if its a TCP packet. If the packet contains a SYN flag, then the new connection entry will be created in the connection table(connection counter gets incremented). Other than SYN flag, the packet will be discarded and a log entry will be created.

"Remember the 3-way handshake process. SYN/SYN-ACK/ACK. If the TCP connection flags are not in the order as it is intended to be, ASA will simply drop the packet. Most of the scanning/attacks are done by these flag manipulation."


If the packet is a UDP , the connection counter will get incremented by one as well.

4) ASA check the packet again the interface Access Control Lists (ACL). If the packet matches with an allowed ACL entry, it moves forward to the next step. Otherwise, the packet will be dropped. (The ACL hit counter gets incremented when there is a valid ACL match.)

5) Then packet is verified for the translation rules. If a packet pass this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet gets dropped and a log entry will be created.

6)The packet is checked for the Inspection policy. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. In ASA we create these inspection checks through MPF (modular policy framework) or through CLI using policy/class maps.

If it passes the inspection check, it is then moves forward to the next step. Otherwise, the packet is dropped and the information is logged.Additional checks will be done if the ASA has a CSC module installed. The packet will be forwarded to that module for further analysis and returns to step 7.

7)Actual Network Address Translation happens at this step. The IP header information is translated as per the NAT/PAT rule . If an IPS module is present, then the packet will be forwarded to IPS module for further check.

8)The packet is forwarded to the Outside (egress) interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.

9) On the egress interface, the interface route lookup will be performed.

10) Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.

11) Finally the packet will be forwarded by the ASA to the next hop.

 Note: When a destination NAT applicable, then there will be an additional step for that. Otherwise, the order of operation will remain the same.

Netcat Tool: 5 most common usage with examples

March 21, 2018 Posted by jaacostan ,
Netcat is one of the most powerful and useful tool for testing and debugging the network and protocol connectivity.
Though administrators use this tool for troubleshooting, the attackers can use this for malicious intentions such as establishing a backdoor connectivity, transferring files, scanning ports etc.
Netcat can act as in client-server mode as well. This tool is available for both Windows and Linux.

Lets go through the five most common usage of netcat commands.

1) Check whether the port is Open.
For checking TCP ports :-
 #nc -v <IP or Domain name> <port number>
 Eg: nc -v www.jaacostan.com 80
For checking UDP ports:-
 #nc -vu www.jaacostan.com 53 //where "u" in "-uv" represents UDP.

2) For doing Port Scans

#nc -vzu <IP or Website> <port range>
eg: #nc -vz www.jaacostan.com 100-200

for scanning the opened UDP ports,
#nc -vzu www.jaacostan.com 100-200 //where "u" in "-uzv" represents UDP.

3) Netcat as aClient Server.
Once netcat is installed on a system whose IP is 192.168.1.10,
#nc -l 4444 // executing this command will open up a port listening on 4444.

from another machine, establish a connection with the server.
#nc 192.168.1.10 4444.

4) Transfer a file.

On the server, open a port 4444.
#nc -l 4444 > output // any data receives on this port will be saved on file called named as "output"

In the client, create a sample file. here i created "jaa".
netcat kali linux jaacostan

From the client, send the contents of file "jaa".
netcat kali linux jaacostan


 #cat jaa | nc 192.168.1.1 4444  //Transfer the contents of the file "jaa" to the server.

netcat kali linux jaacostan


5) Bind a program to a port and access it.

Bind a program, here CMD to the port number 4444.
#nc -nlvp 4444 -e cmd.exe

establish a connection with the server on port 4444.
#nc -nv 192.168.1.10 4444

This will open up a CMD prompt of server from the client machine.

Saturday, March 10, 2018