CIP 007 R2 Ports and Services - Part 1 (Basic Port Enumeration)

Disclaimer: The information I provide is that of my own and does not reflect on the organizations I work for. The information I share should not be the only thing you rely upon for compliance and is provided as-is.

One of the areas of great concern for individuals involved with NERC CIP is CIP standard 007. It is the standard under which most of the work for compliance is done to secure assets. CIP 007 is also the most violated standard. A big offender is standard R2, Ports and Services. It is also a difficult one to comply with since there a large amount of services and ports per asset.

This topic will be broken into multiple posts due to the amount of information that can be shared. Ports and services will also be broken into different posts. I will begin by discussing some areas of overlap.

CIP 007 R2 states, "An entity will disable all unused ports and services not required for normal or emergency operation." The requirement for this standard is interesting. Let's discuss what this means in relation to ports first.

This relates to logical network ports like TCPport 25, which is most often used by SMTP. Ports, as related to compliance and security, considers only listening devices. For those new to network ports this means the network ports that are open and waiting for a connection from other devices or potentially from another process on that computer. NERC CIP does not currently have standards for physical ports on an asset. This does not mean physical ports should not be tracked. As part of its overall security standpoint a company should track and control the physical ports on their devices. Additionally this approach may serve the side benefit of ensuring information is collected when these ports do fall under a compliance standard of one type or another. A person or entity may decide that they want to define what a port and listening port is. As of the time I wrote this post, there was not yet a definition by NERC of either of these, but be sure to check that as new information surfaces daily.

There are multiple ways to collect information about a devices ports. Many devices are capable of listing the ports via their management face through a program or internal function. On a windows and linux based box, a person can run the netstat via the command line. Below is just a small sample of the output that may be seen from running "netstat -abno" windows based box.

 

This method is going to usually be the most accurate way to collect ports from a device that supports it.

Another way to collect ports from a device is to use a port scanning tool such as NMAP, Angry IP Scanner, etc. This software works by manually checking ports on the device to see if they are open. Usually the tool is run from a remote device. Remember to verify the full TCP and UDP port ranges 0-65535. Scanning only TCP is not sufficient.

Port scanners are usually the only method to collect ports from devices that do not have an internal method to collect ports information. An example of such a device may be a PLC. The output of an NMAP scan using the Zenmap GUI is shown below:

The benefits of using a port scanning tool is that a person can enumerate ports from devices that are incapable of enumerating ports natively. Additionally, all data is usually stored in one location. Some device vendors, like Allen Bradley, will provide software to scan their devices for open ports. In most cases a person or entity should use what their vendor requires.

There are some negatives to using a Port scanning tool.

• Port Scanning isn't always consistent, so a port may be missed. Try multiple scans to catch all listening ports on a device.
• If there are devices such as a firewall, in between the device conducting the scans and the device being scanned, reliable port data may not be retrieved.
• Some devices do not handle being scanned well. They may lock up, slow down, or function in methods that are not acceptable.
• This may mean that a person or entity would want to have an identical device in a non production network that can be re-configured in an identical manner. This device than can be scanned to collect port information.
• Possibly scanning the devices while not in production also may be necessary.
  

With all of that in mind I would recommend that when companies purchase new devices they ensure that they are capable of natively enumerating port data. There are many network switches, firewalls, control devices that can do this.

There will always be devices that cannot do this so make sure that the person or entity can reliably enumerate the ports of these devices via a Port Scan. Additionally some malicious software can hide listening ports from native commands such as netstat, so an occasional port scan may be useful for comparison purposes.

In the next NERC CIP related post I will share additional port enumeration information as well as methods to "disable" the ports and start to cover services.

Read More

Cobbler reposync failed

I run daily cobbler reposync crons and it appears sometimes the process fails with the following error :

 Exception occured: <class 'cobbler.cexceptions.CX'>  
 Exception value: 'cobbler reposync failed'  
 Exception Info:  
  File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 126, in die  
   raise CX(msg)  
   
 Exception occured: <class 'cobbler.cexceptions.CX'>  
 Exception value: 'cobbler reposync failed'  
 Exception Info:  
  File "/usr/lib/python2.6/site-packages/cobbler/action_reposync.py", line 125, in run  
   self.sync(repo)  
   File "/usr/lib/python2.6/site-packages/cobbler/action_reposync.py", line 169, in sync  
   return self.yum_sync(repo)  
   File "/usr/lib/python2.6/site-packages/cobbler/action_reposync.py", line 402, in yum_sync  
   utils.die(self.logger,"cobbler reposync failed")  
   File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 134, in die  
   raise CX(msg)  
...
!!! TASK FAILED !!!

I don't really have an explanation for this but it seems that the reposync process doesn't really fail as if I run the reposync command manually the process goes fine.

The createrepo command line is shown when you execute "cobbler reposync", for example :

 hello, reposync  
 run, reposync, run!  
 creating: /var/www/cobbler/repo_mirror/Dell-CentOS5/.origin/Dell-CentOS5.repo  
 running: /usr/bin/reposync -l -m -d --config=/var/www/cobbler/repo_mirror/Dell-CentOS5/.origin/Dell-CentOS5.repo --repoid=Dell-CentOS5 --download_path=/var/www/cobbler/repo_mirror  

In this case the command line is :

reposync -l -m -d --config=/var/www/cobbler/repo_mirror/Dell-CentOS5/.origin/Dell-CentOS5.repo --repoid=Dell-CentOS5 --download_path=/var/www/cobbler/repo_mirror  

The process should go fine, however the return value $? is '1' which can explain why the cobbler commands fails.

Read More

Emulate bad or WAN network performances from a particular IP on a Gigabit LAN network

If you're developing Web or mobile applications, you'll certainly be confronted to poor network conditions.

The problem now is "how can I test my application under bad network conditions". Well you could rent a forein internet connection or use tools that reports performance from various remote countries however this is not a good debugging environment.

The solution is to use TC and NetEM on your front development server (typically Web or reverse proxy server), then use filters so only one client station (the debugging station) is impacted.
Don't forget to use filter otherwise all your clients will be impacted.

Below an example on how to emulate a network with :

• 1Mbps bandwidth
• 400ms delay
• 5% packet loss
• 1% Corrupted packet
• 1% Duplicate packet

The debugging client IP is 192.168.0.42  (i.e the IP impacted by the bad network performance);
The following commands need to be executed on the front developement server, please set the appropriate NIC for you environment (eth0 used below) :

 # Clean up rules  
   
 tc qdisc del dev eth0 root  
   
 # root htb init 1:  
   
 tc qdisc add dev eth0 handle 1: root htb  
   
 # Create class 1:42 with 1Mbps bandwidth  
   
 tc class add dev eth0 parent 1:1 classid 1:42 htb rate 1Mbps  
   
 # Set network degradations on class 1:42  
   
 tc qdisc add dev eth0 parent 1:42 handle 30: netem loss 5% delay 400ms duplicate 1% corrupt 1%  
   
 # Filter class 1:42 to 192.168.0.42 only (match destination IP)  
   
 tc filter add dev eth0 protocol ip prio 1 u32 match ip dst 192.168.0.42 flowid 1:42  
   
 # Filter class 1:42 to 192.168.0.42 only (match source IP)  
   
 tc filter add dev eth0 protocol ip prio 1 u32 match ip src 192.168.0.42 flowid 1:42  

To check that the rules are properly set use the following commands :

 tc qdisc show dev eth0  
 tc class show dev eth0  
 tc filter show dev eth0  

Once you're done with the testing, cleanup the rules with the command :

 tc qdisc del dev eth0 root   

There is many other options you can use (correlation, distribution, packet reordering, etc), please check the documentation available at :

http://www.linuxfoundation.org/collaborate/workgroups/networking/netem

If this setup fits your requirements, I advice you to create a shell script so you can start/stop the rules with custom values. Be aware that you can also make filters based on source/destination ports, etc.

If you have more complex requirements, you can try WANem, which is a live Linux Distribution with a graphical interface on top of NetEM. Please be aware that this requires route modifications on your client and server (or any other routing tricks).

http://wanem.sourceforge.net/
http://sourceforge.net/projects/wanem/files/Documents/WANemv11-Setup-Guide.pdf

I didn't had the opportunity to try it, please let me know if you have any feedback.

Read More

Dell DRAC Console/KVM with Chrome or Firefox

Here is a really simple trick to access to your DRAC remote console (i.e virtual KVM) with Chrome or firefox.
This trick has been tested with DRAC 5,6 and 7 only.

Requirement : You need to have a working JRE

• Log in to your DRAC Web interface, go to "System -> Console Media"
• Clic on "Launch Virtual Console"
• The browser will ask you to open or save a file, save it on your Hard Drive
• The downloaded file has the form "viewer.jnlp(x.x.x.x@x@idrac-xxxxxxx,+xxxxxxxxx,+User-xxxxx@xxxxxxxxx)"
• Rename the file "viewer.jnlp" (i.e remove the garbage data after the extension)
• Double clic on the file and you're done.

Really easy but so handy !

Hope that helps

Read More