Security Blog

With POODLE being in the news recently, I decided it would be a good idea to look at my overall SSL configuration while closing the door to this issue. What better way to do that than by arbitrarily assigning a letter grade to my servers with the Qualys SSL Labs tool. From here I came up with a list of Tomcat SSL tips to help you improve your…

Digital storage of electronic protected health information is a treacherous path for a small company to walk. The health insurance portability and accountability act enforces a number of requirements on the security controls required for the storage of such sensitive data. Unfortunately, the language used in not crystal clear, and I have been able to find no description of actual technical systems used to comply with these controls….

Earlier this week content distribution provider CloudFlare announced that they would be providing free SSL certificates for all of their accounts, both paid and free.  So I pulled the trigger, after adding CloudFlare to my domain for this blog I signed in and and selected Flex SSL. This provides an SSL tunnel between the client and CloudFlare; the connection from there is unencrypted HTTP. Still, this is a…

I have had trouble getting two-factor authentication with Duo Security working on our Jasig CAS server in the past. However, with a new package from Unicon I was able to do it. Below I will outline the steps I took to install CAS with Duo on a clean install of SUSE Linux Enterprise Server 11.3. Download the latest Java 7 JDK RPM, in my case 7u67, and install it. rpm -i…

I recently installed the Splunk App for Palo Alto on our indexers and search heads and setup a syslog feed to one of our indexers from our Palo Alto. Using the app on that indexer worked perfectly. When I switched to our search heads no data was being populated in the app, however, the index was still accessible from search. After doing some research I found that a change…

Earlier this year I attended the Educause Security Professional Conference in St. Louis. I went to a session at which Nick Hannon from Swarthmore College explained how Splunk could combine MaxMind GeoIP data with authentication logs to detect credential theft by looking for geo impossible logins. I couldn’t find an exact tutorial online, so this is my execution of his idea. I based much of the syntax on another…

Let’s find out what our popular CAS services are by pulling our authentication logs for the server into Splunk Enterprise. To start review my CAS+Splunk configuration from my last post. We need to add a new field extraction for service_url like I did below. Then I started with the following query: index=authentication service_ticket_created|top limit=40 service_url This worked, however, it returned duplicate entries when there was a difference after the question…

The first log that I wanted to parse with our new Splunk Enterprise system was catalina.out log from our CAS server. CAS, or Central Authentication Server, is a web-based, federated, single sign-on service available at http://www.jasig.org/cas/. We use it for, among other things, our authentication for Google Apps for Education. Once the logs were indexed into Splunk, I decided mapping CAS logins would give us good visibility into potentially…