Sunday, February 24, 2019

Minemeld installation, Part 1

Palo Alto Networks has provided a tool for public use - Minemeld - that will collate threat intelligence feeds and other indicators for a more dynamic security policy enforcement strategy with their firewalls:
https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld

I have a slightly different use case - I want my lab firewall to be aware of each virtual machine in my lab, and to be able to use it intelligently. Some of this is available via the "VM Information Sources" (more information here) feature, but it doesn't appear to be aware of details like NSX-T security groups, etc. My goal will be to implement these features using Minemeld, with some future uses on the horizon as well.

Getting Started

First I browse to https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld to download any requisite packages.

Just a note - the provided OVA is based off Ubuntu 14.04 - a pretty old release. Performing a deeper search, I discovered that an ansible playbook is provided for install on recommended systems!
https://github.com/PaloAltoNetworks/minemeld-ansible

I'm going to install this on my ansible host - running openSUSE Tumbleweed:


admin@ansible:~> sudo zypper in wget git gcc python-devel libffi-devel openssl-devel
[sudo] password for root:
Loading repository data...
Reading installed packages...
'openssl-devel' not found in package names. Trying capabilities.
'wget' is already installed.
No update candidate for 'wget-1.20.1-2.1.x86_64'. The highest available version is already installed.
Resolving package dependencies...
3 Problems:
Problem: python-devel-2.7.15-4.3.x86_64 requires glibc-devel, but this requirement cannot be provided
Problem: gcc-8-2.4.x86_64 requires gcc8, but this requirement cannot be provided
Problem: ruby2.5-rubygem-cfa-0.7.0-1.1.x86_64 requires ruby(abi) = 2.5.0, but this requirement cannot be provided

Problem: python-devel-2.7.15-4.3.x86_64 requires glibc-devel, but this requirement cannot be provided
  not installable providers: glibc-devel-2.29-1.3.i586[download.opensuse.org-oss]
                   glibc-devel-2.29-1.3.i686[download.opensuse.org-oss]
                   glibc-devel-2.29-1.3.x86_64[download.opensuse.org-oss]
                   glibc-devel-2.29-1.3.i586[openSUSE-20190126-0]
                   glibc-devel-2.29-1.3.i686[openSUSE-20190126-0]
                   glibc-devel-2.29-1.3.x86_64[openSUSE-20190126-0]
 Solution 1: Following actions will be done:
  deinstallation of yast2-ruby-bindings-4.1.2-1.1.x86_64
  deinstallation of yast2-samba-client-4.0.4-1.1.noarch
  deinstallation of yast2-ntp-client-4.1.7-1.1.noarch
  deinstallation of yast2-packager-4.1.24-1.1.x86_64
  deinstallation of yast2-tftp-server-4.1.6-1.1.noarch
  deinstallation of yast2-snapper-4.1.0-1.1.x86_64
  deinstallation of yast2-vpn-4.0.1-1.2.noarch
  deinstallation of yast2-users-4.1.7-1.1.x86_64
  deinstallation of yast2-update-4.1.8-1.1.x86_64
  deinstallation of yast2-tune-4.0.2-1.2.x86_64
  deinstallation of yast2-transfer-4.0.0-1.3.x86_64
  deinstallation of yast2-sysconfig-4.1.2-1.2.noarch
  deinstallation of yast2-support-4.1.0-1.1.noarch
  deinstallation of yast2-sudo-4.0.1-1.2.noarch
  deinstallation of yast2-slp-4.0.0-1.3.x86_64
  deinstallation of yast2-services-manager-4.1.14-1.1.noarch
  deinstallation of yast2-security-4.1.2-1.2.noarch
  deinstallation of yast2-samba-server-4.1.3-1.2.noarch
  deinstallation of yast2-storage-ng-4.1.48-1.1.x86_64
  deinstallation of yast2-proxy-4.1.0-1.1.noarch
  deinstallation of yast2-printer-4.0.3-1.2.x86_64
  deinstallation of yast2-pam-4.0.0-1.2.noarch
  deinstallation of yast2-online-update-4.0.2-1.2.noarch
  deinstallation of yast2-nis-client-4.1.0-1.1.x86_64
  deinstallation of yast2-nfs-client-4.1.4-1.1.noarch
  deinstallation of yast2-metapackage-handler-4.0.0-1.2.noarch
  deinstallation of yast2-mail-4.1.0-1.2.noarch
  deinstallation of yast2-journal-4.1.5-1.1.noarch
  deinstallation of yast2-iscsi-client-4.1.4-1.1.noarch
  deinstallation of yast2-hardware-detection-4.0.0-1.6.x86_64
  deinstallation of yast2-firewall-4.1.10-1.1.noarch
  deinstallation of yast2-country-data-4.1.7-1.2.x86_64
  deinstallation of yast2-auth-server-4.1.0-1.2.noarch
  deinstallation of yast2-auth-client-4.1.0-1.2.noarch
  deinstallation of yast2-apparmor-4.1.7-1.1.noarch
  deinstallation of yast2-add-on-4.1.10-1.1.noarch
  deinstallation of autoyast2-installation-4.1.1-1.1.noarch
  deinstallation of yast2-installation-4.1.34-1.1.noarch
  deinstallation of yast2-online-update-frontend-4.0.2-1.2.noarch
 Solution 2: Following actions will be done:
  deinstallation of ruby2.5-2.5.3-2.1.x86_64
  deinstallation of ruby2.5-rubygem-cfa_grub2-1.0.1-1.1.x86_64
  deinstallation of ruby2.5-rubygem-cheetah-0.5.0-1.10.x86_64
  deinstallation of ruby2.5-rubygem-fast_gettext-2.0.0-1.1.x86_64
  deinstallation of ruby2.5-rubygem-gem2rpm-0.10.1-13.6.x86_64
  deinstallation of ruby2.5-rubygem-ruby-augeas-0.5.0-3.9.x86_64
  deinstallation of ruby2.5-rubygem-ruby-dbus-0.15.0-1.1.x86_64
  deinstallation of ruby2.5-rubygem-simpleidn-0.1.1-1.1.x86_64
  deinstallation of ruby2.5-rubygem-unf-0.1.4-1.9.x86_64
  deinstallation of ruby2.5-rubygem-unf_ext-0.0.7.5-1.2.x86_64
  deinstallation of ruby2.5-stdlib-2.5.3-2.1.x86_64
 Solution 3: do not install python-devel-2.7.15-4.3.x86_64
 Solution 4: break python-devel-2.7.15-4.3.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or skip, retry or cancel [1/2/3/4/s/r/c] (c): 2

Problem: gcc-8-2.4.x86_64 requires gcc8, but this requirement cannot be provided
  not installable providers: gcc8-8.2.1+r268506-1.1.i586[download.opensuse.org-oss]
                   gcc8-8.2.1+r268506-1.1.x86_64[download.opensuse.org-oss]
                   gcc8-8.2.1+r268506-1.1.i586[openSUSE-20190126-0]
                   gcc8-8.2.1+r268506-1.1.x86_64[openSUSE-20190126-0]
 Solution 1: Following actions will be done:
  deinstallation of yast2-4.1.53-1.1.x86_64
  deinstallation of yast2-ntp-client-4.1.7-1.1.noarch
  deinstallation of yast2-packager-4.1.24-1.1.x86_64
  deinstallation of yast2-tftp-server-4.1.6-1.1.noarch
  deinstallation of yast2-snapper-4.1.0-1.1.x86_64
  deinstallation of yast2-vpn-4.0.1-1.2.noarch
  deinstallation of yast2-users-4.1.7-1.1.x86_64
  deinstallation of yast2-update-4.1.8-1.1.x86_64
  deinstallation of yast2-tune-4.0.2-1.2.x86_64
  deinstallation of yast2-transfer-4.0.0-1.3.x86_64
  deinstallation of yast2-sysconfig-4.1.2-1.2.noarch
  deinstallation of yast2-support-4.1.0-1.1.noarch
  deinstallation of yast2-sudo-4.0.1-1.2.noarch
  deinstallation of yast2-slp-4.0.0-1.3.x86_64
  deinstallation of yast2-services-manager-4.1.14-1.1.noarch
  deinstallation of yast2-security-4.1.2-1.2.noarch
  deinstallation of yast2-samba-server-4.1.3-1.2.noarch
  deinstallation of yast2-storage-ng-4.1.48-1.1.x86_64
  deinstallation of yast2-proxy-4.1.0-1.1.noarch
  deinstallation of yast2-printer-4.0.3-1.2.x86_64
  deinstallation of yast2-pam-4.0.0-1.2.noarch
  deinstallation of yast2-online-update-4.0.2-1.2.noarch
  deinstallation of yast2-nis-client-4.1.0-1.1.x86_64
  deinstallation of yast2-nfs-client-4.1.4-1.1.noarch
  deinstallation of yast2-metapackage-handler-4.0.0-1.2.noarch
  deinstallation of yast2-mail-4.1.0-1.2.noarch
  deinstallation of yast2-journal-4.1.5-1.1.noarch
  deinstallation of yast2-iscsi-client-4.1.4-1.1.noarch
  deinstallation of yast2-hardware-detection-4.0.0-1.6.x86_64
  deinstallation of yast2-firewall-4.1.10-1.1.noarch
  deinstallation of yast2-country-data-4.1.7-1.2.x86_64
  deinstallation of yast2-auth-server-4.1.0-1.2.noarch
  deinstallation of yast2-auth-client-4.1.0-1.2.noarch
  deinstallation of yast2-apparmor-4.1.7-1.1.noarch
  deinstallation of yast2-add-on-4.1.10-1.1.noarch
  deinstallation of autoyast2-installation-4.1.1-1.1.noarch
  deinstallation of yast2-installation-4.1.34-1.1.noarch
  deinstallation of yast2-ldap-4.0.0-1.5.x86_64
  deinstallation of patterns-yast-yast2_basis-20181130-1.1.x86_64
  deinstallation of yast2-online-update-frontend-4.0.2-1.2.noarch
 Solution 2: Following actions will be done:
  deinstallation of ruby2.5-rubygem-abstract_method-1.2.1-2.10.x86_64
  deinstallation of ruby2.5-rubygem-ruby-augeas-0.5.0-3.9.x86_64
  deinstallation of ruby2.5-rubygem-ruby-dbus-0.15.0-1.1.x86_64
  deinstallation of ruby2.5-rubygem-simpleidn-0.1.1-1.1.x86_64
  deinstallation of ruby2.5-rubygem-unf-0.1.4-1.9.x86_64
  deinstallation of ruby2.5-rubygem-unf_ext-0.0.7.5-1.2.x86_64
  deinstallation of ruby2.5-stdlib-2.5.3-2.1.x86_64
 Solution 3: do not install gcc-8-2.4.x86_64
 Solution 4: break gcc-8-2.4.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or skip, retry or cancel [1/2/3/4/s/r/c] (c): 2

Problem: ruby2.5-rubygem-cfa-0.7.0-1.1.x86_64 requires ruby(abi) = 2.5.0, but this requirement cannot be provided
  deleted providers: ruby2.5-2.5.3-2.1.x86_64
 Solution 1: Following actions will be done:
  deinstallation of yast2-country-4.1.7-1.1.x86_64
  deinstallation of yast2-packager-4.1.24-1.1.x86_64
  deinstallation of yast2-ntp-client-4.1.7-1.1.noarch
  deinstallation of yast2-network-4.1.34-1.1.noarch
  deinstallation of yast2-snapper-4.1.0-1.1.x86_64
  deinstallation of yast2-installation-4.1.34-1.1.noarch
  deinstallation of autoyast2-installation-4.1.1-1.1.noarch
  deinstallation of yast2-storage-ng-4.1.48-1.1.x86_64
  deinstallation of yast2-add-on-4.1.10-1.1.noarch
  deinstallation of yast2-apparmor-4.1.7-1.1.noarch
  deinstallation of yast2-auth-client-4.1.0-1.2.noarch
  deinstallation of yast2-auth-server-4.1.0-1.2.noarch
  deinstallation of yast2-country-data-4.1.7-1.2.x86_64
  deinstallation of yast2-firewall-4.1.10-1.1.noarch
  deinstallation of yast2-hardware-detection-4.0.0-1.6.x86_64
  deinstallation of yast2-iscsi-client-4.1.4-1.1.noarch
  deinstallation of yast2-journal-4.1.5-1.1.noarch
  deinstallation of yast2-mail-4.1.0-1.2.noarch
  deinstallation of yast2-metapackage-handler-4.0.0-1.2.noarch
  deinstallation of yast2-nfs-client-4.1.4-1.1.noarch
  deinstallation of yast2-nis-client-4.1.0-1.1.x86_64
  deinstallation of yast2-online-update-4.0.2-1.2.noarch
  deinstallation of yast2-pam-4.0.0-1.2.noarch
  deinstallation of yast2-printer-4.0.3-1.2.x86_64
  deinstallation of yast2-proxy-4.1.0-1.1.noarch
  deinstallation of yast2-samba-server-4.1.3-1.2.noarch
  deinstallation of yast2-security-4.1.2-1.2.noarch
  deinstallation of yast2-services-manager-4.1.14-1.1.noarch
  deinstallation of yast2-slp-4.0.0-1.3.x86_64
  deinstallation of yast2-sudo-4.0.1-1.2.noarch
  deinstallation of yast2-support-4.1.0-1.1.noarch
  deinstallation of yast2-sysconfig-4.1.2-1.2.noarch
  deinstallation of yast2-transfer-4.0.0-1.3.x86_64
  deinstallation of yast2-tune-4.0.2-1.2.x86_64
  deinstallation of yast2-update-4.1.8-1.1.x86_64
  deinstallation of yast2-users-4.1.7-1.1.x86_64
  deinstallation of yast2-vpn-4.0.1-1.2.noarch
  deinstallation of patterns-yast-yast2_basis-20181130-1.1.x86_64
  deinstallation of yast2-online-update-frontend-4.0.2-1.2.noarch
 Solution 2: Following actions will be done:
  deinstallation of ruby2.5-rubygem-cfa-0.7.0-1.1.x86_64
  deinstallation of ruby2.5-rubygem-cheetah-0.5.0-1.10.x86_64
  deinstallation of ruby2.5-rubygem-fast_gettext-2.0.0-1.1.x86_64
  deinstallation of ruby2.5-rubygem-gem2rpm-0.10.1-13.6.x86_64
  deinstallation of ruby2.5-rubygem-ruby-augeas-0.5.0-3.9.x86_64
  deinstallation of ruby2.5-rubygem-ruby-dbus-0.15.0-1.1.x86_64
  deinstallation of ruby2.5-rubygem-simpleidn-0.1.1-1.1.x86_64
  deinstallation of ruby2.5-rubygem-unf-0.1.4-1.9.x86_64
  deinstallation of ruby2.5-rubygem-unf_ext-0.0.7.5-1.2.x86_64
  deinstallation of ruby2.5-stdlib-2.5.3-2.1.x86_64
 Solution 3: do not ask to install a solvable providing openssl-devel
 Solution 4: break ruby2.5-rubygem-cfa-0.7.0-1.1.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or skip, retry or cancel [1/2/3/4/s/r/c] (c): 2
Resolving dependencies...
Resolving package dependencies...

The following 68 NEW packages are going to be installed:
  cpp cpp8 cvs cvsps gcc gcc8 git git-core git-cvs git-email git-gui gitk git-svn glibc-devel glibc-locale-base
  libapr1 libapr-util1 libasan5 libatomic1 libcrypt1 libffi-devel libgomp1 libisl19 libitm1 liblsan0 libmpc3 libmpfr6
  libmpx2 libmpxwrappers2 libopenssl-1_1-devel libopenssl-devel libruby2_6-2_6 libserf-1-1 libsha1detectcoll1
  libtsan0 libubsan1 libutf8proc2 libxcrypt-devel libXss1 linux-glibc-devel perl-Authen-SASL perl-DBD-SQLite perl-DBI
  perl-Digest-HMAC perl-Error perl-MailTools perl-Net-SMTP-SSL python python-devel ruby2.6
  ruby2.6-rubygem-abstract_method ruby2.6-rubygem-cfa ruby2.6-rubygem-cfa_grub2 ruby2.6-rubygem-cheetah
  ruby2.6-rubygem-fast_gettext ruby2.6-rubygem-gem2rpm ruby2.6-rubygem-ruby-augeas ruby2.6-rubygem-ruby-dbus
  ruby2.6-rubygem-simpleidn ruby2.6-rubygem-unf ruby2.6-rubygem-unf_ext subversion subversion-bash-completion
  subversion-perl tcl tk xhost zlib-devel

The following 13 packages are going to be REMOVED:
  ruby2.5 ruby2.5-rubygem-abstract_method ruby2.5-rubygem-cfa ruby2.5-rubygem-cfa_grub2 ruby2.5-rubygem-cheetah
  ruby2.5-rubygem-fast_gettext ruby2.5-rubygem-gem2rpm ruby2.5-rubygem-ruby-augeas ruby2.5-rubygem-ruby-dbus
  ruby2.5-rubygem-simpleidn ruby2.5-rubygem-unf ruby2.5-rubygem-unf_ext ruby2.5-stdlib

The following 15 packages are going to be upgraded:
  glibc glibc-extra glibc-locale nscd ruby yast2 yast2-bootloader yast2-core yast2-country yast2-network
  yast2-ntp-client yast2-packager yast2-ruby-bindings yast2-snapper yast2-tftp-server

The following 6 recommended packages were automatically selected:
  git-cvs git-email git-gui gitk git-svn subversion-bash-completion

The following 2 packages are suggested, but will not be installed:
  git-daemon git-web

15 packages to upgrade, 68 new, 13 to remove.
Overall download size: 81.4 MiB. Already cached: 0 B. After the operation, additional 319.4 MiB will be used.
Continue? [y/n/...? shows all options] (y): y

Looks like this conflicts with Ruby somewhat - a non-issue for me. Time to run pip and install ansible:

admin@ansible:~> sudo -H python get-pip.py
[sudo] password for root:
Traceback (most recent call last):
  File "get-pip.py", line 21361, in <module>
    main()
  File "get-pip.py", line 197, in main
    bootstrap(tmpdir=tmpdir)
  File "get-pip.py", line 82, in bootstrap
    import pip._internal
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_internal/__init__.py", line 40, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_internal/cli/autocompletion.py", line 8, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_internal/cli/main_parser.py", line 12, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_internal/commands/__init__.py", line 6, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_internal/commands/completion.py", line 6, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_internal/cli/base_command.py", line 25, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_internal/index.py", line 14, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_vendor/html5lib/__init__.py", line 25, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_vendor/html5lib/html5parser.py", line 7, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_vendor/html5lib/_inputstream.py", line 13, in <module>
  File "/tmp/tmpqrZ_FD/pip.zip/pip/_vendor/html5lib/_utils.py", line 10, in <module>
ImportError: No module named xml.etree.ElementTree

And it seems the pip install step is not necessary, as openSUSE handles this through the package manager. We're going to need to go a bit off-script here:

admin@ansible:~> zypper se pip
Loading repository data...
Reading installed packages...

S | Name                                     | Summary                                                                  | Type
--+------------------------------------------+--------------------------------------------------------------------------+--------
i | python3-pip                              | Pip installs packages. Python packages. An easy_install replacement      | package
ansible:/home/admin # pip install ansible
Collecting ansible
  Downloading https://files.pythonhosted.org/packages/e4/22/4325212e609071cd93b8142722d770f5defab34a95511f183e262f8de983/ansible-2.7.8.tar.gz (11.8MB)
    100% |████████████████████████████████| 11.8MB 3.4MB/s
Collecting jinja2 (from ansible)
  Downloading https://files.pythonhosted.org/packages/7f/ff/ae64bacdfc95f27a016a7bed8e8686763ba4d277a78ca76f32659220a731/Jinja2-2.10-py2.py3-none-any.whl (126kB)
    100% |████████████████████████████████| 133kB 20.5MB/s
Collecting PyYAML (from ansible)
  Downloading https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz (270kB)
    100% |████████████████████████████████| 276kB 2.3MB/s
Collecting paramiko (from ansible)
  Downloading https://files.pythonhosted.org/packages/cf/ae/94e70d49044ccc234bfdba20114fa947d7ba6eb68a2e452d89b920e62227/paramiko-2.4.2-py2.py3-none-any.whl (193kB)
    100% |████████████████████████████████| 194kB 19.3MB/s
Collecting cryptography (from ansible)
  Downloading https://files.pythonhosted.org/packages/98/71/e632e222f34632e0527dd41799f7847305e701f38f512d81bdf96009bca4/cryptography-2.5-cp34-abi3-manylinux1_x86_64.whl (2.4MB)
    100% |████████████████████████████████| 2.4MB 6.4MB/s
Requirement already satisfied: setuptools in /usr/lib/python3.6/site-packages (from ansible) (40.6.3)
Collecting MarkupSafe>=0.23 (from jinja2->ansible)
  Downloading https://files.pythonhosted.org/packages/b2/5f/23e0023be6bb885d00ffbefad2942bc51a620328ee910f64abe5a8d18dd1/MarkupSafe-1.1.1-cp36-cp36m-manylinux1_x86_64.whl
Collecting bcrypt>=3.1.3 (from paramiko->ansible)
  Downloading https://files.pythonhosted.org/packages/d0/79/79a4d167a31cc206117d9b396926615fa9c1fdbd52017bcced80937ac501/bcrypt-3.1.6-cp34-abi3-manylinux1_x86_64.whl (55kB)
    100% |████████████████████████████████| 61kB 17.2MB/s
Collecting pyasn1>=0.1.7 (from paramiko->ansible)
  Downloading https://files.pythonhosted.org/packages/7b/7c/c9386b82a25115cccf1903441bba3cbadcfae7b678a20167347fa8ded34c/pyasn1-0.4.5-py2.py3-none-any.whl (73kB)
    100% |████████████████████████████████| 81kB 20.0MB/s
Collecting pynacl>=1.0.1 (from paramiko->ansible)
  Downloading https://files.pythonhosted.org/packages/27/15/2cd0a203f318c2240b42cd9dd13c931ddd61067809fee3479f44f086103e/PyNaCl-1.3.0-cp34-abi3-manylinux1_x86_64.whl (759kB)
    100% |████████████████████████████████| 768kB 20.3MB/s
Collecting cffi!=1.11.3,>=1.8 (from cryptography->ansible)
  Downloading https://files.pythonhosted.org/packages/be/99/3a088b41d93aa46f07cf7fd4da1b3287e6899ad7b2b75f1a177edf025e1a/cffi-1.12.1-cp36-cp36m-manylinux1_x86_64.whl (428kB)
    100% |████████████████████████████████| 430kB 20.8MB/s
Requirement already satisfied: six>=1.4.1 in /usr/lib/python3.6/site-packages (from cryptography->ansible) (1.12.0)
Collecting asn1crypto>=0.21.0 (from cryptography->ansible)
  Downloading https://files.pythonhosted.org/packages/ea/cd/35485615f45f30a510576f1a56d1e0a7ad7bd8ab5ed7cdc600ef7cd06222/asn1crypto-0.24.0-py2.py3-none-any.whl (101kB)
    100% |████████████████████████████████| 102kB 14.4MB/s
Collecting pycparser (from cffi!=1.11.3,>=1.8->cryptography->ansible)
  Downloading https://files.pythonhosted.org/packages/68/9e/49196946aee219aead1290e00d1e7fdeab8567783e83e1b9ab5585e6206a/pycparser-2.19.tar.gz (158kB)
    100% |████████████████████████████████| 163kB 18.0MB/s
Installing collected packages: MarkupSafe, jinja2, PyYAML, pycparser, cffi, bcrypt, asn1crypto, cryptography, pyasn1, pynacl, paramiko, ansible
  Running setup.py install for PyYAML ... done
  Running setup.py install for pycparser ... done
  Running setup.py install for ansible ... done
Successfully installed MarkupSafe-1.1.1 PyYAML-3.13 ansible-2.7.8 asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.1 cryptography-2.5 jinja2-2.10 paramiko-2.4.2 pyasn1-0.4.5 pycparser-2.19 pynacl-1.3.0

ansible:/home/admin # git clone https://github.com/PaloAltoNetworks/minemeld-ansible.git
Cloning into 'minemeld-ansible'...
remote: Enumerating objects: 170, done.
remote: Counting objects: 100% (170/170), done.
remote: Compressing objects: 100% (121/121), done.
remote: Total 1042 (delta 89), reused 110 (delta 46), pack-reused 872
Receiving objects: 100% (1042/1042), 140.92 KiB | 1.35 MiB/s, done.
Resolving deltas: 100% (450/450), done.
ansible:/home/admin # cd minemeld-ansible/
admin@ansible:~/minemeld-ansible> ansible-playbook -K -i 127.0.0.1, local.yml
SUDO password:

PLAY [minemeld playbook] *******************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************************************************************************************
ok: [127.0.0.1]

TASK [infrastructure : debug] **************************************************************************************************************************************************************************************************************************************************
ok: [127.0.0.1] => {
    "msg": "Loading vars for openSUSE Tumbleweed 20190219"
}

TASK [infrastructure : include_vars] *******************************************************************************************************************************************************************************************************************************************
fatal: [127.0.0.1]: FAILED! => {"msg": "No file was found when using with_first_found. Use the 'skip: true' option to allow this task to be skipped if no files are found"}
        to retry, use: --limit @/home/admin/minemeld-ansible/local.retry

PLAY RECAP *********************************************************************************************************************************************************************************************************************************************************************
127.0.0.1                  : ok=2    changed=0    unreachable=0    failed=1

Looks like we need to find out where in the playbook with_first_found is defined.

admin@ansible:~/minemeld-ansible> grep first_found */*/*/*
roles/infrastructure/tasks/main.yml:  with_first_found:
roles/minemeld/tasks/main.yml:  with_first_found:

With either location, the following YAML reference is made. I'll do some more research on what that does in another blog entry:

# from http://serverfault.com/questions/587727/how-to-unify-package-installation-tasks-in-ansible
- include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
    - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
    - "{{ ansible_distribution }}.yml"

My Home Lab!

I've removed NSX-V 6.4.4, and am about to start some more datacenter/route-switch projects - this is the lab network diagram for reference:


And, the meatspace version - the cheetos are there in case of an emergency:

RFC 7710

Captive portals suck.

We need them for any public access network, but with the widespread adoption of HTTPS, it is really difficult for users to find a hint as to where to go to get their access.

How captive portals work

In most real-world applications, the client station is placed in a network where all of the station's generated traffic is not allowed until authentication is performed.

The problem

Any scalable, well-engineered, easy-to-use guest platform needs some way of notifying the user as to why they're being blocked, and how to properly connect.
The most common approach taken by Aruba, Palo Alto, most firewall platforms will enforce a destination NAT policy on unauthenticated guest traffic, translating every possible destination address -> your client access gateway. This method still requires DNS be allowed through unless you implement a separate rule for DNS (and a corresponding no-NAT policy).



As a side-effect, this implementation will make it appear as if your client access gateway is impersonating every site a user visits - pretty much all client web browsers will abort any connections that appear insecure in this manner. The only workaround is for the client station to browse to an HTTP web site - like http://neverssl.com/. As a consolation, some network devices attempt to access a captive portal detection URL automatically, like Apple's http://captive.apple.com/hotspot-detect.html, but these implementations vary greatly based on the end device and are not always reliable.

Enter RFC 7710

This is not an uncommon issue, as most modern enterprises, conventions, events will all require heavy use of this particular network type. Due to the usability issues presented above, most conventions and other platforms will typically just provide you the WPA2-PSK and leave it as-is.

The IETF did not ignore the difficulties that most have had with guest usability at-scale, and have proposed an internet standard to notify client stations that a captive portal exists:
In a nutshell, the IETF proposed that the network discovery protocols used by a client station when connecting to a new network would present the most efficient path for notification for this case, specifying options for DHCPv4, DHCPv6, and IPv6 Router Advertisements:
  • DHCPv4 Option 160
  • DHCPv6 Option 103
  • RA Type 37
This completely eliminates the need for a MiTM if the client supports this RFC. It also lets you authenticate your client access gateway, which is vulnerable to spoofing otherwise:

In all of these cases, the implementation should be pretty simple - you just punch in the URI of your captive portal server, and you're done!

Thursday, February 14, 2019

WPA and Open System Authentication

Did you know that before you authenticate to your wireless network, it's using the same security mechanisms as open Wi-Fi?

With TLS, it's fairly well known how (most) cipher suites implement the Diffie-Hellman exchange to provide reasonably effective forward secrecy. ECC Diffie-Hellman has largely superseded RSA, but the underlying reason for implementation remains the same - until you establish an encrypted session, confidentiality does not exist. The ultimate solution would be out-of-band exchanged pads, but that is technically infeasible. There will always be a compromise with sacrificial cipher exchanges to achieve forward secrecy.

This is a really helpful video that visually describes the Diffie-Hellman Exchange:
https://www.youtube.com/watch?v=YEBfamv-_do

Aruba's early implementation of WPA3, mixed mode

Aruba has released for general availability ArubaOS 8.4, which includes WPA3-PSK:
https://www.arubanetworks.com/techdocs/ArubaOS/8.4.x.x/Default.htm

Understandably, I was pretty excited to try it out and promptly upgraded my instant cluster, contained within the "safe zone" of my home lab. It was running 8.3.0.3 before, and the upgrade required me to stand up an HTTP server to distribute binaries. The one-click upgrade worked with no issues and took ~10 minutes for both APs with no client-side downtime.

I'll try not to gush too much here, but this is a pretty wicked software release. The virtual controller UI is vastly improved and had a few new options:





Configuring WPA3-SAE was also pretty easy:
Once configured, I was able to connect to the WPA3 SSID I had created.

Wait, WHAT? Windows 10 doesn't have any WPA3 support yet! Digging a little deeper, I found that I was connected to an SSID that supported WPA2-Personal.
It'd appear that we have the capability to run both WPA2 and 3 at the same time. Of course, we can trust but verify with a packet capture. This is not normally feasible without a software-defined radio, but Aruba provides a tool (PEEKREMOTE) that will let you remotely pull a packet capture. If you're interested in doing this yourself, the guide on how is at the end of this article. There are some important steps to follow when decoding the PCAP.

Here's what I found on the RSN IE portion of the 802.11 beacon frame:
From the looks of it, the RSN IEs allow for multiple cipher suites and AKMs. This isn't surprising, as this was how WPA1/2 works in mixed mode. From the PCAP, I would surmise that 00:0f:ac:08 is the 802.11i designation for SAE.


WPA2 & 3 Differences, courtesy of Ruckus Networks:
https://theruckusroom.ruckuswireless.com/wired-wireless/technologytrends/wpa2-wpa3-new-changed-future/
802.11i Robust Security Network Information Elements:
https://mrncciew.com/2014/08/21/cwsp-rsn-information-elements/
Airheads announcement:

Using VM Templates and NSX-T for Repeatable Virtual Network Deployments

So far, we've provided the infrastructure for continuous delivery / continuous integration, but it's been for those other guys . Is ...