Watchguard Fireware 11.9 Preview and APT Blocker

Over at the Watchguard YouTube channel they have released a new video previewing the next release of  Fireware (11.9) and a new service named APT Blocker.

The APT Blocker service will be available for all WatchGuard Unified Threat Management (UTM) and Next-Gen Firewall platforms and detects advanced persistent threats and zero day evasive malware.

The APT Blocker service approaches the detection of malware from behavioral analysis using emulation, rather than known malware signatures:

WatchGuard APT Blocker focuses on behavior analysis to determine if a file is malicious. APT Blocker identifies and submits suspicious files to a cloud-based, next-generation sandbox, where code is analyzed, emulated, and virtually executed to determine its threat potential.WatchGuard APT Blocker’s advanced malware analysis also uses machine-level emulation to detect advanced forms of evasion such as disabling security protocols, changing security settings or stealing passwords. APT Blocker’s full-system emulation approach to sandboxing provides simple, rapid protection that scales to inspect millions of objects at any given time.

 

Integrating Google Authenticator PAM module with FreeRADIUS Server

I was recently investigating two factor authentication solutions to use with a Watchguard XTM appliance for mobile VPN solutions, to where I came across FreeRADIUS (http://freeradius.org/).

FreeRADIUS server is a daemon of a UNIX (like) operating system which allows for a radius protocol server to be setup.¬† FreeRADIUS is an open-source project and is developed by the user group ‚Äúthe FreeRADIUS project‚ÄĚ.

FreeRADIUS provides support for a pluggable authentication module (PAM) library. Integrating this with Google Authenticator (https://code.google.com/p/google-authenticator/ ) which is a project to provide implementation of one-time passcode (OTP) generators for mobile platforms as well as PAM, will allow for a dual factor solution to be implemented.

The OTP is generated using open standards as developed by http://www.openauthentication.org/. The implementations support the HMAC-Based One-time passcode (HOTP) algorithm (https://tools.ietf.org/html/rfc4226) and the Time-base One-time Password (TOTP) algorithm (https://tools.ietf.org/html/rfc6238).

In order to install and configure the FreeRADIUS server and integrate with the Google Authenticator Pam Module Source, I performed the following steps:

1) Install FreeRADIUS and the required packages:

apt-get install build-essential libpam0g-dev freeradius git libqrencode3

2) Download the Google Authenticator Pam Module Source and build the executable program and libraries from source code.

git clone "https://code.google.com/p/google-authenticator/"
cd google-authenticator/libpam/
make
make install

3)¬†FreeRADIUS is required to run as root in order to access the ‘.google_authenticator’ token in each home directory. This can be modified by editing ‘/etc/freeradius/radiusd.conf, to change the user and group to be root.

user = root
group = root

4)¬†¬†In order to use the PAM libraries to authenticate users as the default rule, edit ‘/etc/freeradius/users’ to include the following:

DEFAULT        Auth-Type := PAM

5) In order to allow PAM authentication, edit /etc/freeradius/sites-enabled/default to uncomment the following:

#  Pluggable Authentication Modules.
pam

6)¬†PAM is required to use the local Unix password combination with the Google Authenticator password, edit ‘/etc/pam.d/radiusd’ to include the following:

#@include common-auth
#@include common-account
#@include common-password
#@include common-session
auth requisite pam_google_authenticator.so forward_pass
auth requisite pam_google_authenticator.so forward_pass

7) Restart the FreeRADIUS service to apply configuration changes:

service freeradius restart

8) Create a security group to use for RADIUS authentication:

groupadd <group>

As authentication is managed by a combination of the local Unix password and the Google Authenticator password, we will be required to create a user account on the local Unix operating system, create a password and add to the RADIUS security group by performing the following:

adduser <username>
usermod -a -G <group> <username>

Once the user account has been created and added to the security group we will be required to invoke the google-authenticator to generate the google_authenticator token:

cd /home/username
su username
google-authenticator

You will prompted to answer a number of questions in regards to your authentication token. Once completed a QR code and secret key will be created which will allow you to configure the authentication token on your device.

Do you want authentication tokens to be time-based (y/n) </b>_authenticator" file (y/n) 
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) 
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems
with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) </b>
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login
attempts every 30s. Do you want to enable rate-limiting (y/n) 

In order to rest authentication locally you can perform the following:

radtest <username> <unix password> <google authenticator token> localhost 18120 <secret key>

If you the above fails and you require to start FreeRadius in debug mode perform the following:

service freeradius stop
freeradius -XXX

Configure monitoring of Watchguard devices with Nagios XI

Firstly, we will need to enable the Firebox  as a SNMP device, as below:

1) From Policy Manager, select Setup > SNMP.

2) Select the SNMP polling type and enter the configuration details. In my configuration I am selecting ‘v1/v2c’ for SNMP polling which requires a community string to be configured.

3) Select the SNMP trap type to be ‘v2Trap’ and add your SNMP management station, in this case the Nagios XI monitoring server IP address.

4) Confirm your SNMP settings and select ‘OK’.

This will create an automatically generated policy named ‘SNMP’ to allow inbound connections to your Firebox on ¬†UDP port 161. I further configured the rule to only allow inbound SNMP from the source address of the Nagios XI monitoring server IP address.

Now that we have SNMP enabled on the Firebox we can now run the monitoring wizard to monitor the devices.

1) Select the ‘Watchguard’ motoring wizard

2) Enter the IP address of the Watchguard management interface, SNMP community name as configured when enabling the Firebox as a SNMP device.

3) Select the services you wish to monitor, notifications and groups and complete the configuration.

I encountered a couple of issues following configuration, the default warning and critical values may not be relevant to your device. For Example, active connections limit was not representative of the Firebox device. By default, the thresholds are set to be 300 (Warning) and 500 (Critical).  The device I have is capable of supporting up to 40,000 concurrent connections, therefore I set  the critical value to be 36,000  and a number of 32,000 to be my warning threshold.

This information is available for the device, by browsing to the datasheet, in my case XTM 5 series details can be found at http://www.watchguard.com/docs/datasheet/wg_xtm5_ds.pdf.

It would also appear that in an active/passive cluster you may only monitor the active node based on the IP address of the device, therefore I configured my monitored host and services to use the clustered management address.