|Establish IPSec VPN Connection between Cyberoam and Microsoft Azure|
|Applicable Version: 10.00 onwards
Microsoft Azure is a cloud computing platform and infrastructure, created by Microsoft, for building, deploying and managing applications and services through a global network of Microsoft-managed datacenters. It provides both PaaS and IaaS services and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems.
This article describes how to configure an IPSec VPN connection between Cyberoam and virtual networks hosted on Microsoft Azure. Cyberoam allows secure IPSec VPN connection with MS Azure such that an organization can safely use it as an extension of its own network.
Establish IPSec VPN connection between Cyberoam and Microsoft Azure.
You should be registered with and have access to Microsoft Azure. For details, refer to http://azure.microsoft.com.
You can configure the VPN connection in Azure by following the steps given below.
Step 1: Create Local Network
• Sign in to your Azure Account and go to Networks > Local Networks and click Add a Local Network to create a
• Specify Local Network Details, as shown below.
• Specify the Address Space of the LAN and click to save the Local Network.
Step 2: Create Virtual Network
• Go to Networks > Virtual Networks and click Create a Virtual Network to launch the Create Virtual Network Wizard.
• Specify the Name and Affinity Group of the Virtual Network. Click to go to the next configuration screen.
• Check Configure a site-to-site VPN and select Cyberoam_LAN, created in step 1, as the Local Network. Click to go to the next configuration screen.
• Specify the address space and subnet of the Virtual Network, and add the gateway subnet by clicking add gateway subnet and specifying the values.
• Clickto add to save the Virtual Network.
Step 3: Add Gateway to Virtual Network
Once Virtual Network is created, click on the newly created Virtual Network and go to the Dashboard. Click Create Gateway at the bottom of the screen and select Static Routing to associate a gateway to the Virtual Network through which it would connect to Cyberoam LAN.
It takes a few minutes to create the Gateway.
Step 4: Obtain Preshared Key
Once Virtual Network is configured, obtain the Preshared Key which would be used in Cyberoam by clicking Manage Key at the bottom of the screen.
The Preshared Key to be used is displayed on the screen, as shown below.
Step 5: Create Virtual Machine to be accessed over VPN
Go to Virtual Machines and click Create a Virtual Machine.
The New tab at the bottom of the screen pops up. Select Compute > Virtual Machine > From Gallery to start the Create Virtual Machine Wizard.
• Select the Image of Virtual Machine to be created. Here, as an example, we create a Windows Server 2012 R2 Datacenter.Clickto go to the next configuration screen.
• Specify the Virtual Machine details, as shown below.
• Check Install the VM Agent and clickto save the Virtual Machine.
The above configuration prepares Azure to connect to Cyberoam over VPN.
After configuration of VPN connection on Azure, configure IPSec connection in Cyberoam. You can configure IPSec in Cyberoam by following the steps given below. Configuration is to be done from the Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features.
Step 1: Create VPN Policy
Go to VPN > Policy > Policy and click Add to add a new policy.
Configure IPSec Parameters in Cyberoam’s VPN Policy to match the IPSec Parameters supported by Azure. For information on parameters supported by Azure, refer to http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx.
Click OK to save policy.
Step 2: Configure IPSec Connection
Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below.
Click OK to create the connection.
Step 3: Activate IPSec Connection
Go to VPN > IPSec > Connection and click under Active and Connection headsagainst BO_to_HO connection, created in step 2.
Under the Active status indicates that the connection is successfully activated.
Under the Connection status indicates that the connection is successfully established.
Expand your existing skills and acquire new skills on Microsoft’s cloud technologies including: Microsoft Office 365, Microsoft Exchange Online, Windows Azure, Windows Intune, Microsoft Hyper-V Server, Microsoft SharePoint Online, Microsoft Dynamics CRM Online, Microsoft System Center 2012 and SQL Azure.
Microsoft has made available over 30 learning resources to enable you to explore these technologies, including: eBooks, E-learning clinics, short videos (a.k.a. learning snacks), and classroom training courses.
Many of these valuable resources are free. To name a few:
Microsoft’s cloud-based technologies are relevant to specific job roles. Start here: http://www.gomct.com?a91e
Thank you, and good luck!
What is CryptoLocker?
CryptoLocker is a Trojan horse in terms of mechanism and a ransomware in terms of objective. Being a Trojan horse, it comes in disguised forms and once unlocked it starts searching and encrypting the files present on your local Hard Disks, shared networks or Cloud networks. This means that your computer and software keep on working, but your personal files, such as documents, spreadsheets and images, are encrypted.
Often, CryptoLocker arrives as a file with a double extension, such as .pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.
Targets of CryptoLocker
CryptoLocker targets files with following extensions:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
CryptoLocker then finds files that match with one of these types and encrypt the file using the pubic encryption key.
History of CryptoLocker
CryptoLocker was first discovered in the fall of 2013 and targeted computers running on Microsoft Windows. It displayed all the characteristics of a ransomware, i.e., the ability to target victims through phishing and malicious email links, encryption of user files and a notification box demanding a ransom for their return.
How it Works
CryptoLocker infects like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find the current C&C server. Some sample Crytpolocker domains might look like this:
Once CryptoLocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. CryptoLocker then uses that key pair to encrypt many different types of files on your computer.
After encrypting your files, following screen will be displayed to you:
So the screen will have a warning message with the time left to decrypt your data and asks for money.
The payment mechanism includes receiving a key on payment which unlocks the encrypted files. And those who deny paying before the timer expires, the corresponding private decryption key on a remote server is claimed to be deleted and hold a fair risk of losing access to their files forever.
The malware sends out system information and creates registry entries to get started after system reboots.
Modes of infection
Just like any other malware or Trojan attack, a CryptoLocker has common modes of infection. Some of which include:
– Spam Emails
– Infected portable data transfer devices
– Click on an infected link
– An infected system in the network
How Cyberoam can protect you?
Cyberoam Implements network based controls which can impact malware such as CryptoLocker and while the Antivirus, Anti Spam, Web Filtering are important, the IPS Engine also has the ability to block malware command & control (C&C) communications.
Following are some control mechanisms that you should follow to protect your network from malwares such as CryptoLocker in Cyberoam:
Cyberoam issues maintenance releases regularly, these should be tested and installed as required
You can find the information about upgrading your Cyberoam Appliance from Upgrade Firmware of Cyberoam Appliance.
– Reliable DNS settings: Ensure your appliance is configured with reliable, trusted DNS server settings. You can configure DNS settings in
Cyberoam from Network > DNS > DNS.
– Secure Firewall Rule: Malware often spreads by changing DNS settings on devices to redirect users to malware serving sites. To prevent
this, you should lock down DNS so that devices use only approved internal servers. The advantage of using approved internal server is that only
approved forwarders on the Internet are allowed to access that internal server.
To do this successfully you will need to distribute and install the Self Signed Certificate or set the appliance up as a trusted sub-ordinate authority to
your existing Enterprise Certificate Authority Information on SSL CA Certificate Installation Guide can be found at from the given link.
– Enable SMTP/SMTPS/POP3/IMAP/HTTP/HTTPS Antivirus scanning in your network : You can enable SMTP/ SMTPS/ POP3/ HTTP/ HTTPS
scanning in Cyberoam to scan Internet/Web traffic, as shown in the following screen shot:
– Secure SMTP Email Communication : You can define rules for SMTP/S scanning in Cyberoam from Antivirus > Email > SMTP/s Scanning Rules.
For more details refer Secure SMTP Email Configuration.
– Configure SMTP blocking of compressed attachments and other harmful attachments : Data Leakage through Emails is a serious threat to
business operations. Data Leakage Protection is a key necessity of any organization. As a solution, Cyberoam provides means to control the attachments
in outgoing Emails. Information of how to do it can be found out at Blocking Email Attachments over SMTP.
– Configure Anti Spam with Spam, Possible Spam, Virus Outbreak and Probable Virus Outbreak content action: You can configure these settings
in Cyberoam by identifying the mentioned content in the mail and then deciding the action for such content. You can configure these settings from
ANTI SPAM > Spam Rules as shown in the following screen shot:
In case of CryptoLocker, the IPS engine can block the download of the encryption keys, which means CryptoLocker is unable to encrypt the data on the End Point.
In order to achieve this, appropriate IPS policies should be implemented in Cyberoam.
Internet traffic (including encrypted HTTPS traffic) which is not monitored by the IPS is a potential exposure which can facilitate C&C communication.
To achieve this, create an IPS Policy which includes Malware Communication signatures and apply it on the relevant Firewall Rule(s).
To protect your network from malwares, you should filter Web/URL content as well. For Web or URL filtering related settings, keep following points in mind:
– Enable Pharming Protections
This allows the appliance to protect users against pharming by re-resolving the domain name of the website using the DNS configured on the appliance.
You can enable pharming in Cyberoam from Web Filter > Settings > Settings, refer the below screen shot for the same.
– Filter Websites that can cause security issues
To protect your network from malwares like CryptoLocker, lock following categories for all users and firewall rules:
> Hacking: Sites that provide information about or promote illegal or questionable access to or use of computer or communication
equipment, software, or databases.
> Illegal/ Unethical: Websites that feature information, methods, or instructions on fraudulent actions or unlawful conduct (non-violent)
such as scams, counterfeiting, child abuse, tax evasion, petty theft, blackmail, etc.
> Phishing and Fraud: Sites gathering personal information (such as name, address, credit card number, school, or personal schedules)
that may be used for malicious intent.
> SPAM URL: This category includes URLs that arrive in unsolicited Spam emails. Spam URL content ranges from product marketing to
potentially offensive or fraudulent sites.
> IP Address: Sites accessed through IP address, this will stop people accessing websites directly via the IP Address. This is not normal/expected
user behavior as most people use domain names which means this is often not user based traffic, often it is odd malware serving websites.
> Parked Domain: This category includes sites that once served content, but their domains have been sold and are no longer registered. Parked
domains do not host their own unique content, but usually redirect users to a generic page that states the domain name is for sale or redirect
users to a generic search engine and portal page, some of which provide valid search engine results. Some of these orphaned domains may
redirect users to malware serving sites.
> Spyware: Sites or pages that download software that without the user’s knowledge.
How the above implementation will look like is showing in the below screen shot:
In Cyberoam, You can configure above settings from Web Filter. For more information about creating the policy and applying it to user or
firewall rule consider Configuring Web Filter Policy article.
Controls should be implemented to restrict undesired applications in the network, this will normally block “Torrents” and applications that
“tunnel other apps” and “can bypass firewall policy”. It may also include undesired “P2P” Applications.
Failing to block tunneling applications and other applications that can be used to bypass firewall rules leaves you open to communication
channels that are beyond regular control mechanisms.
In Cyberoam you can configure these settings from Application Filter, by considering the Category, Risk, Characteristics and Technology
for individual applications.
For more information about blocking of particular application, refer Block P2P Applications. In the same way you can block other application as well.
Configuration for application filtering for blocking particular application is shown in the below screen shot:
Another option in controlling inbound and outbound security issues is GEO Blocking. In many situations malware and attacks can be tracked
to specific countries. So, blocking traffic from these countries can be a precautionary measure to minimize the impact of malware.
If you are able to identify the countries or regions with higher concentration of suspicious traffic you can choose to block them, and you can
create specific bypass rules to minimize exposure.
In Cyberoam, you can implement GEO blocking by creating Country-based firewall rules. By doing so you can block or manage traffic to/from
a particular country or group of counties.
To implement GEO blocking in Cyberoam, first create Country Based Host from Objects > Hosts > Country Hosts and then create Firewall rule for
the country from Firewall > Rule > Rule. For more details about GEO blocking, refer the article of Creating Country based Firewall Rules.
So to summarize, CryptoLocker is aggressively spreading, and has infected many victims. However, Cyberoam can detect and block it using various security services and control mechanisms mentioned above. CryptoLocker can also spread internally through network shares, which network security solutions can’t prevent. Ultimately, your best defence is awareness and vigilance
A small HOWTO install Monitorix 2.5.2 on Elastix 2.4 with Centos 5.10
Unfortunately in EPEL repository for Centos 5 there isn’t monitorix
But for fast solution without need to compile it from the source is OK.
yum install rrdtool rrdtool-perl perl-libwww-perl perl-MailTools perl-MIME-Lite perl-DBI perl-XML-Simple perl-Config-General perl-HTTP-Server-Simple perl-IO-Socket-SSL
rpm -ivh ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/monitorix-2.5.2-1.el5.rf.noarch.rpm
( or use any other mirror from here http://rpm.pbone.net/index.php3/stat/4/ … h.rpm.html )
cp /usr/share/monitorix/cgi-bin/monitorix.cgi /var/www/monitorix-cgi
Edit in the file /etc/httpd/conf.d/monitorix.conf
replace a line
service httpd restart
service monitorix restart
Login to http://elastix-ip/monitorix
If i can do a comment for the folder cgi. A folder already exist here /var/www/cgi-bin/. To be clean, maybe change the target of directory here /var/www/cgi-bin/monitorix-cgi/
Source for this articular