Wednesday, January 10, 2018

Pi-Hole: After 1 Month

tl;dr It has been great. Truly beneficial to my home network. I can't wait to build a few on raspberry-pi's to give out to my non-technical family members.

Please consider donating to pi-hole if you've found them useful: https://pi-hole.net/donate/

I installed pi-hole about 1 month ago and have been reaping the rewards ever since. (https://showipintbri.blogspot.com/2017/12/pi-hole-day-1-first-5-minutes.html)

As Network Security Professional if you aren't watching DNS logs, YOU SHOULD!!! There is a wealth of information that can be gleaned from DNS logs. I'm writing the below post from the perspective of a home user not a security professional. If nothing else, Pi-Hole is a great start!

Pi-Hole works great. My entire house-hold's online experience has been more enjoyable.

  • Sites with either pop-ups or banner ads are no more. 
  • My wife plays alot of app games on her phone and has seen a reduction in in-between turn targeted ads.
  • My kids online experience is better as the ads delivered to them through their tablets have all been reduced.
Most people would assume Pi-Hole is for blocking ads delivered to you through your web browser while you're on your computer. This is true and it does a good job of that. It is well documented many places on the internet. I'm going to shed some light on how it effects things other than desktops/laptops.

This system isn't without its faults. I wanted to outline a few un-intended consequences:

Roku - Poster-Ad

I am a long-time cord-cutter, I have Roku's at every TV or a Roku TV. Roku normally reserves 1/3 of the screen to show you 1 giant vertical advertisement panel on the home screen to the right of your tiles. This panel is used by Roku to advertise their own products and services or used by companies that use Roku as their advertisement delivery platform.

Since having Pi-Hole on my network I haven't seen any advertisements on that panel.

Pi-Hole Enabled


Pi-Hole Disabled (5 minutes)



You maybe thinking to yourself "so, whats the big deal." The big deal is I have little kids who enjoy watching TV and who can operate the Roku by themselves. Sometimes the poster-ad on the right of the screen is a giant ad for some second-rate cartoon 'app' or site. My kids click it, because they are subjected to clever marketing, then it asks for a login, or its really just a stream with built-in target ads for kids toys, then I have to tell my kids "No" and now I'm the bad guy 😕. With Pi-Hole I have eliminated that as a source of deception for my wee-ones. 😁 

This is a good thing for my family and a plus for Pi-Hole, I love it. 


Roku - Screensaver

Like any modern device when not in use the Roku has a screensaver. Roku doesn't miss the opportunity to have this serve you ad as-well, as another advertisement delivery platform. The device, (depending on which model you have) has different screensaver offerings. This particular TV is using a Roku3, I prefer the "Big City Stroll", which is pretty cool. When Pi-Hole is Enabled (it's always enabled) Roku doesn't switch to the "Big City Stroll" it uses the Roku Logo Bounce. I suppose this is because it can't reach it's ad-delivery network. I haven't pulled a PCAP to check but I would assume it's doing a DNS lookup or a wget request using a domain name and when that fails it uses the Roku Logo Bounce. See below for my comparison:

Pi-Hole Enabled


Pi-Hole Disabled (5 minutes)



You may be thinking "So, whats the big deal", no big deal I just like the Big City Stroll and now I don't get to see it :( I have other Rokus in the house, I have a Roku Ultra in the basement and I use the fish-tank screensaver which doesn't server ads, still comes up for our amusement. The Roku TV in the bedroom also uses the Big City Stroll and it also no longer works.

Amazon Fire Tablets

The most shocking thing of all is the complete battery drain of both my kids Amazon Fire Tablets, since enabling Pi-Hole in my house. When I did my blog post about 1 month ago I was surprised to see "Blocked" results immediately. As a day or two passed I checked the admin dashboard of Pi-hole and noticed my household was making about 8,000 DNS requests daily. I was monitoring this daily from then on. Within a day or two I noticed our "Blocked" DNS requests in the 50,000 range!!!!

50,000!!! WTF!!!!

Pi-Hole has a great dashboard to show which hosts are making the requests by volume:
(Below is only 1 tablet on, making the DNS requests... the other battery died, keep reading you'll find-out why)


Using the side-by-side of clients vs. blocked domains it was easy to correlate which host was making the most requests and to what. I do not have Pi-Hole as my DHCP server (you could, it is a feature), I'm still using my router as my DHCP so I popped over to my router to see what host name held that IP. It was the generic hostname of my son's tablet. I used my LogZilla install to search for his MAC address to see which IP's he was assigned historically from my DHCPd logs. 

I loved the Amazon Fire Tablets for my kids because the batteries last all day. But now they don't last 6 hours. I couldn't figure out why. 

I searched my top blocked domain and found other people with the same issues: https://discourse.pi-hole.net/t/device-metrics-us-amazon-com-requests-like-crazy/5731

What seems to be happening is: 
The tablets are trying to reach-out to their device-metrics domain to likely tell Amazon about my kids tablet usage. Because the DNS request is blocked it never resolves and thus never makes it's connection back to it's server. It must do this on a loop: "if fail;repeat". With this domain blacklisted you can sit and watch the "Blocked" domains counter on Pi-Holes dashboard increase by a few requests every second, most of which are the "device-metrics" domain.

Even when the kids tablets screen's are off and it should be 'sleeping' it is still making DNS requests which are getting blocked a few times per second. This means the tablet never really goes to sleep and depletes it's battery.

A couple of ways around this:
  1.  White-list the domain. The connection will succeed and all is well.
  2. Turn off Wi-Fi on the kids tablets. (This doesn't always go over so well 😁)
I also have a Amazon Fire TV Stick. When both my kids tablets are powered off, I do NOT see the same requests coming from that device. This tells me it's local to my kids tablets on my network. I know other people have posted similar experience about Amazon Echos and Echo Dots.

All in all I really love Pi-Hole, it has enhanced my families online experience. I recommend it and it was stupid simple to setup.

I'm going to be building a few on Raspberry-Pi's to send to my grandparents and other family members so they can stop being bombarded with ads/malware and phishing campaigns, which in turn should stop some of the family IT help-desk tickets they send me 😁

Other than the things above I haven't noticed any problems or side-effects with using Pi-Hole at home. If you have something to add please leave a comment below.

Please consider donating to Pi-Hole if you find this useful: https://pi-hole.net/donate/

Wednesday, January 3, 2018

VRF Aware IPSEC: IKEv2

This is a follow-up to a previous blog post: VRF Aware IPSEC: IKEv1

I highly recommend Kat Mac's VPN blog series. This lays it out in plan English. Well crafted and beautifully done: https://www.network-node.com/blog/2017/7/24/ccie-security-ipsec-vpn-overview

For the "configlet" we will use the topology below (same as the previous blog post). 2 Routers directly connected (via a swtich), each with a loopback. We want the traffic sourced from a loopback and destined for a loopback to be encrypted via IPSEC tunnels. All other traffic will route without encryption.

The below topology and initial configs are the same from the previous blog post: VRF Aware IPSEC: IKEv1.

CAVEAT: These templates are an example of VRF Aware IPSEC. Each router is using a VRF routing table, NOT THE GLOBAL ROUTING TABLE (GRT)!!!


Basic Initial Configs:

R1:

vrf definition client
 !
 address-family ipv4
 exit-address-family


interface Loopback1
 vrf forwarding client
 ip address 1.1.1.1 255.255.255.255


interface FastEthernet0/0
 vrf forwarding client
 ip address 10.1.1.1 255.255.255.252


ip route vrf client 100.1.1.1 255.255.255.255 10.1.1.2

R2:


vrf definition server
 !
 address-family ipv4
 exit-address-family



interface Loopback100

 vrf forwarding server
 ip address 100.1.1.1 255.255.255.255


interface FastEthernet1/0
 vrf forwarding server
 ip address 10.1.1.2 255.255.255.252


ip route vrf server 1.1.1.1 255.255.255.255 10.1.1.1

IPSEC (IKEv2) Configs:

R1:

access-list 100 permit ip host 1.1.1.1 host 100.1.1.1

crypto ikev2 proposal client
  enc aes-cbc-256
  inte sha256
  group 21
exit

crypto ikev2 policy client
  match fvrf client
  proposal client
exit

crypto ikev2 keyring KEYRING
 peer server
  address 10.1.1.2
  pre-shared-key local cisco
  pre-shared-key remote cisco
exit


crypto ikev2 profile client
 match fvrf client
 match address local interface FastEthernet0/0
 match identity remote address 10.1.1.2 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
 lifetime 28800
exit


crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel

exit

crypto map MYMAP 10 ipsec-isakmp
 set peer 10.1.1.2
 set transform-set MYSET
 set ikev2-profile client
 match address 100
exit

int fa0/0
crypto map MYMAP
exit

R2:

access-list 100 permit ip host 100.1.1.1 host 1.1.1.1

crypto ikev2 proposal server
  enc aes-cbc-256
  inte sha256
  group 21
exit

crypto ikev2 policy server
  match fvrf server
  proposal server
exit

crypto ikev2 keyring SERVER_KEYRING
 peer client
  address 10.1.1.1
  pre-shared-key local cisco
  pre-shared-key remote cisco
exit
exit


crypto ikev2 profile server
 match fvrf server
 match address local interface FastEthernet1/0
 match identity remote address 10.1.1.1 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local SERVER_KEYRING
 lifetime 28800
exit


crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
exit

crypto map MYMAP_SERVER 10 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set MYSET
 set ikev2-profile server
 match address 100
exit

int fa1/0
crypto map MYMAP_SERVER
exit

Verify:

R1:

ping vrf client 100.1.1.1 source 1.1.1.1

show crypto ikev2 sa fvrf client [detailed]

show crypto ipsec sa vrf client

R2:

ping vrf server 1.1.1.1 source 100.1.1.1

show crypto ikev2 sa fvrf server [detailed]

show crypto ipsec sa vrf server

Show Output:


R1#show crypto ikev2 sa fvrf client
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.1.1.1/500          10.1.1.2/500          client/client        READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/41 sec

 IPv6 Crypto IKEv2  SA



R1#show crypto ikev2 sa fvrf client detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.1.1.1/500          10.1.1.2/500          client/client        READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/54 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: 21E078A4CC7C3612       Remote spi: 42905DBF44368F78
      Local id: 10.1.1.1
      Remote id: 10.1.1.2
      Local req msg id:  2              Remote req msg id:  0
      Local next msg id: 2              Remote next msg id: 0
      Local req queued:  2              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes


R1#show crypto ipsec sa vrf client

interface: FastEthernet0/0
    Crypto map tag: MYMAP, local addr 10.1.1.1

[ ... OUTPUT REMOVED TO SAVE SPACE ... ]

   protected vrf: client
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/0/0)
   current_peer 10.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x52F8B750(1392031568)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x522A72A4(1378513572)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4179797/3586)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x52F8B750(1392031568)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4179797/3586)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

Monday, January 1, 2018

VRF Aware IPSEC: IKEv1

I would have included this in the TIWA(Today I Was Asked) series but this isn't actually a solution to a peers problem or an explanation of a solution.

This is more of a point of reference for myself and my peers.

I'm not going to go into a long winded explanation about the templates posted here, as there is already an overwhelming about of information out there already.

I highly recommend Kat Mac's VPN blog series. This lays it out in plan English. Well crafted and beautifully done: https://www.network-node.com/blog/2017/7/24/ccie-security-ipsec-vpn-overview

Now for the templates. We will use the topology below as a basic topology. 2 Routers directly connected (via a swtich), each with a loopback. We want the traffic sourced from a loopback and destined for a loopback to be encrypted via IPSEC tunnels. All other traffic will route without encryption.

CAVEAT: These templates are an example of VRF Aware IPSEC. Each router is using a VRF routing table, NOT THE GLOBAL ROUTING TABLE (GRT)!!!


Basic Initial Configs:

R1:

vrf definition client
 !
 address-family ipv4
 exit-address-family


interface Loopback1
 vrf forwarding client
 ip address 1.1.1.1 255.255.255.255


interface FastEthernet0/0
 vrf forwarding client
 ip address 10.1.1.1 255.255.255.252


ip route vrf client 100.1.1.1 255.255.255.255 10.1.1.2

R2:


vrf definition server

 !

 address-family ipv4
 exit-address-family


interface Loopback100
 vrf forwarding server
 ip address 100.1.1.1 255.255.255.255


interface FastEthernet1/0
 vrf forwarding server
 ip address 10.1.1.2 255.255.255.252


ip route vrf server 1.1.1.1 255.255.255.255 10.1.1.1

IPSEC (IKEv1) configs:

R1:

access-list 100 permit ip host 1.1.1.1 host 100.1.1.1

crypto keyring MY_KEYRING vrf client
  pre-shared-key address 10.1.1.2 255.255.255.255 key cisco


crypto isakmp policy 10
 authentication pre-share

crypto isakmp profile MY_PROFILE
   vrf client
   keyring MY_KEYRING
   match identity address 10.1.1.2 255.255.255.255 client
   local-address FastEthernet0/0

crypto ipsec transform-set MYSET ah-md5-hmac esp-aes esp-sha-hmac 
 mode tunnel

crypto map MYMAP local-address FastEthernet0/0
crypto map MYMAP 1 ipsec-isakmp 
 set peer 10.1.1.2
 set transform-set MYSET 
 set isakmp-profile MY_PROFILE
 match address 100

int FastEthernet0/0
 crypto map MYMAP
exit

R2:

access-list 100 permit ip host 100.1.1.1 host 1.1.1.1

crypto keyring MY_KEYRING_2 vrf server
  pre-shared-key address 10.1.1.1 255.255.255.255 key cisco

crypto isakmp policy 10
 authentication pre-share

crypto isakmp profile MY_PROFILE_2
   vrf server
   keyring MY_KEYRING_2
   match identity address 10.1.1.1 255.255.255.255 server
   local-address FastEthernet1/0

crypto ipsec transform-set MYSET ah-md5-hmac esp-aes esp-sha-hmac 
 mode tunnel

crypto map MYMAP_2 local-address FastEthernet1/0
crypto map MYMAP_2 1 ipsec-isakmp 
 set peer 10.1.1.1
 set transform-set MYSET
 set isakmp-profile MY_PROFILE_2
 match address 100

int FastEthernet1/0
 crypto map MYMAP_2
exit


Verify:

R1:

ping vrf client 100.1.1.1 source 1.1.1.1

show crypto isakmp sa vrf client

show crypto ipsec sa vrf client

R2:

ping vrf server 1.1.1.1 source 100.1.1.1

show crypto isakmp sa vrf server

show crypto ipsec sa vrf server