Expedition. Hardening Guide Version Palo Alto Networks, Inc.

Similar documents
LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

ssh and handson Matsuzaki maz Yoshinobu 1

SSH SECURITY. If you ve never used SSH before on a computer, the chances are very high that

Linux Network Administration

SSH. Partly a tool, partly an application Features:

Defending Yourself Against The Wily Wireless Hacker

System Administration

Secure Communications Over a Network

Start the Ubuntu Linux VM in VirtualBox. In the VM X Window session, logon as the default user osboxes.

Configuring Users and Common Roles

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Some SSH tips & tricks you may enjoy (plus, iptables)

Host Hardening Achieve or Avoid. Nilesh Kapoor Auckland 2016

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

Linux Systems Security. Access Control and Authentication NETS1028 Fall 2016

Managing Certificates

Setting up the Apache Web Server

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N Rev 01 July, 2012

Exercises Basics of Web Security Experiential Learning Workshop

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

Fasthosts Customer Support Generating Certificate Signing Requests

How to Secure SSH with Google Two-Factor Authentication

Bitnami ProcessMaker Community Edition for Huawei Enterprise Cloud

Adafruit's Raspberry Pi Lesson 6. Using SSH

Qualys Integration with CyberArk Application Identity Manager (AIM)

vshield Administration Guide

Once the VM is started, the VirtualBox OS Manager window can be closed. But our Ubuntu VM is still running.

CPSC 467: Cryptography and Computer Security

We want to install putty, an ssh client on the laptops. In the web browser goto:

About Backup and Restore, on page 1 Supported Backup and Restore Procedures, on page 3

RU-VPN2 - GlobalProtect Installation for Windows

Bitnami TestLink for Huawei Enterprise Cloud

Installing and Configuring vcenter Multi-Hypervisor Manager

vcenter CapacityIQ Installation Guide

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Horizon DaaS Platform 6.1 Release Notes. This document describes changes to the Horizon DaaS Platform for Version 6.1.

Managing User Accounts

UCS Manager Communication Services

Sentry Power Manager (SPM) Software Security

Bitnami Dolibarr for Huawei Enterprise Cloud

Understanding the Dynamic Update Mechanism Tech Note

CPSC 467b: Cryptography and Computer Security

HAProxy* with Intel QuickAssist Technology

2. Installing OpenBiblio 1.0 on a Windows computer

SSH and keys. Network Startup Resource Center

Palo Alto Networks PAN-OS

Project 4: Penetration Test

Using SSL to Secure Client/Server Connections

Security. DevOps Bootcamp, OSU, Feb 2015 Kees Cook (pronounced Case )

Bitnami Moodle for Huawei Enterprise Cloud

Security Guide. Connection Broker. Advanced Connection and Capacity Management for Hybrid Clouds

SSH Product Overview

Generating Certificate Signing Requests

Table of Contents 1.1. Install, Deploy, Maintain Infrastructure Installation Download Installer. Deployment Prerequisites

Using VMware View Client for Mac

QuickStart Guide for Managing Mobile Devices. Version

Bitnami Pimcore for Huawei Enterprise Cloud

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Bitnami Coppermine for Huawei Enterprise Cloud

Public-Key Infrastructure (PKI) Lab

QuickStart Guide for Managing Computers. Version

Network Monitoring & Management. A few Linux basics

VMware Horizon Workspace Security Features WHITE PAPER

Table of Contents 1.1. Install, Deploy, Maintain Infrastructure Installation Download. Deploy the Appliance

DogeCash Masternode Setup Guide Version 1.2 (Ubuntu 16.04)

Security Fundamentals

How to Generate and Install a Certificate on a SMA

Parallel Programming

Using TU Eindhoven s VPN with Ubuntu

GroupWise Messenger 18 Installation Guide. November 2017

Quick Start Guide for Intel FPGA Development Tools on the Microsoft* Azure* Platform

Numerics. Index 1. SSH See SSH. connection inactivity time 2-3 console, for configuring authorized IP managers 11-5 DES 6-3, 7-3

Working with Ubuntu Linux. Track 2 Workshop June 2010 Pago Pago, American Samoa

RU-VPN2 - GlobalProtect Installation for Windows

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Oracle Diameter Signalling Router (DSR) Security Guide

#Uncomment the second line to enable any form of FTP write command. #write_enable=yes

TIBCO Cloud Integration Security Overview

Install the ExtraHop session key forwarder on a Windows server

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

How to connect to the University of Exeter VPN service

Bitnami Piwik for Huawei Enterprise Cloud

Using RDP with Azure Linux Virtual Machines

Windows Subsystem for Linux Guide Documentation

Orchid Fusion VMS Installation Guide

SecuRemote for Windows 32-bit/64-bit

Connection Broker Advanced Connections Management for Multi-Cloud Environments. Security Review

HLZA HOW-TO S SETTING UP AND USING REMOTE ACCESS. July 10, 2014

Build your own Lightweight Webserver - Hands-on I - Information Network I. Marius Georgescu. Internet Engineering Laboratory. 17 Apr

Bitnami ERPNext for Huawei Enterprise Cloud

CIS 76 Ethical Hacking Building an open source Pentest Sandbox, carrying out a Remote Code Execution exploit, and Remediating the RCE vulnerability.

QuickStart Guide for Managing Computers. Version

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

PAN-OS Integration with SafeNet Luna SA HSM Tech Note PAN-OS 6.0

Using RANCID. Contents. 1 Introduction Goals Notes Install rancid Add alias Configure rancid...

Configuring SSL Security

Configuring Integrated Messaging

PiranaJS installation guide

vcenter CapacityIQ Installation Guide

Transcription:

Expedition Hardening Guide Version 1.0 1 Palo Alto Networks, Inc. www.paloaltonetworks.com 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. You can find a list of our trademarks at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: May 28, 2018

Contents What is Expedition?... 3 Change default Passwords... 4 Keep OS Updated... 4 Re-generate SSH Keys... 4 Re-generate SSL certificate... 5 Revision History... 6 2018 Palo Alto Networks, Inc. 2 EXPEDITION

What is Expedition? Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The main purpose of this tool was help reducing the time and efforts to migrate a configuration from one of the supported vendors to Palo Alto Networks. By using the Migration Tool everyone can convert a configuration from Checkpoint or Cisco or any other vendor to a PanOS and give you more time to improve the results. Migration Tool 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well. With Expedition we have gone one step further, not only because we want to continue helping to facilitate the transition of a security policy from others vendors to PanOS but we want to ensure the outcome it s the best as possible, there is why we added a Machine Learning module who can help you to generate new security policies based on real log traffic and the introduction of the Best Practices Assessment Tool to check the configuration complies with the Best Practices recommended by our security experts. With all these huge improvements we expect the next time you use Expedition the journey to the excellence will be easier. EXPEDITION 3 2018 Palo Alto Networks, Inc.

How to harden Expedition Expedition is delivered as a whole VM where a preinstalled OS is in place. Palo Alto Networks is not the responsible of any OS security related there is why you have full root privileges to keep it up to date. This guide will help you in case you don t know how to maintain your server up to date and guide you in what best practices you should look at before starting using it in production environments. Change default Passwords Change the password for the expedition user from the cli by typing passwd expedition Use at least 10 characters and mix with some numeric and especial characters to make it hard to brute force it. From the GUI change it from the SETTINGS -> USERS at least to the admin user. Keep OS Updated Expedition runs on Ubuntu 16.04 OS XENIAL edition. The system has been preconfigured to run periodically an upgrade of the installed packages but you can force it by typing from the CLI these commands: sudo apt-get update sudo apt-get upgrade If any package needs an update the system will ask you and then you can upgrade them by typing Y Re-generate SSH Keys First time you download the Expedition image we encourage you to re-generate a new pair of ssh keys to avoid have man in the middle attacks. 2018 Palo Alto Networks, Inc. 4 EXPEDITION

Connect to your Expedition instance via SSH and type these commands: sudo rm /etc/ssh/ssh_host_* sudo dpkg-reconfigure openssh-server sudo systemctl restart sshd After you disconnect from the server and try to connect again you will receive an error because now the key you trusted before for the Expedition IP address won t match with the new certificate so we have to remove the entry from our ssh desktop In case you are using Mac OS this will be the error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:M9N1zOs1zwZEhUt5r+0vV/olH67P8Jveaf15vxk7JOw. Please contact your system administrator. Add correct host key in /Users/xxxxx/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /Users/xxxxx/.ssh/known_hosts:135 ßEDIT THIS FILE LINE 135 on this EXAMPLE ECDSA host key for 1.1.4.8 has changed and you have requested strict checking. Host key verification failed. To Remove the Key edit from your User s folder the file under.ssh/known_hosts and remove the entry from that file and try it again. Re-generate SSL certificate Apache SSL is already configured on Expedition and it comes by default with a private and public certificates to its recommended to create them once your instance is up and running From the CLI and after run the first command you will be prompted for some information for the new certificate like Country, company, etc, fill under your requirements. sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem sudo systemctl restart apache2 After restart Apache you can restart your browser session to see the new certificate You can use a Let s Encrypt valid certs as well, this is one User guide you can find on Internet https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04 EXPEDITION 5 2018 Palo Alto Networks, Inc.

Revision History Date Revision Comment May 28, 2018 A First release of this document. 2018 Palo Alto Networks, Inc. 6 EXPEDITION

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback