Advisory Sophos Wireless affected by WPA and WPA2 vulnerabilities with key reinstallation attacks (KRACKs)

A vulnerability in the WPA2 protocol has been discovered and could allow an attacker to read encrypted information. This attack affects all WPAWPA2 protected WI-Fi Networks as the vulnerability is with the Wi-Fi WPA/WPA2 standard and not any individual products or implementations.

The following CVE IDs have been assigned to document these vulnerabilities in the WPA/WPA2 protocol:

Sophos products affected:

  • Sophos UTM Wireless
  • Sophos Firewall Wireless
  • Sophos Central Wireless

All Sophos wireless products are affected: Wireless Protection in XG Firewall, Sophos UTM as well as Sophos Central Managed Wireless. Sophos will release patches as soon as they are made available.

The Wireless team is currently working on the necessary patch and after full implementation and testing on our solutions, we will be able to release a fix. This process can take a number of days.

The below list shows the scheduled patched version to correct the WPA/WPA2 vulnerability and expected release dates. All dates and version numbers are subject to change.

  • Sophos UTM:
    • 9.5 SR 2 (9.505) : 2017-10-20
    • 9.4 SR 3 (9.415) : 2017-11-06
  • Sophos Firewall:
    • v16.5 : 2017-10-20 (AP firmware)
    • v17.0: 2017-10-23
  • Cloud Wireless: 2017-10-20
  • Cyberoam UTM: Cyberoam is not affected by this vulnerability
  • Apply patches as soon as they are available. Sophos will update this article whenever a patch is released to fix the vulnerability.
  • Customers can reduce their exposure to the vulnerabilities by disabling the Fast Roaming options and disabling Mesh.
  • Exposure to these vulnerabilities can be reduced by patching the wireless client or the access point. In most cases a patch for the wireless client will greatly reduce the chances of being attacked, even if the AP is still vulnerable. Microsoft and many other vendor’s have released patches that help block against these exploits.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Big problem with VNX and Global Security

Hi All, good morning

I’ve a problem with “virgin” VNX

I put a vnx in a rack and I would have to configure it from scratch going on the IP page x.x.x.x /setup

IMPORTANT: The VNX is not in a network anymore (’cause it’s a LAB environment)



When i get to the setup page i receive the a certificate error and following messages:

“”global security is not initialized. You must initialize global security in order to target this system.””

First question: i need to connect my laptop by crossed cable to one HUB, and from the HUB to the VNX by normal ethernet cable right?

Second question: i don’t know why when the browser try to find a certificate will propose me, for example, my outlook certificate….

Some ideas on how i can enter the setup page?

Tnx a lot to all

Related:

  • No Related Posts

FAQ: Can Idle Session Timeout Be Configured For A Specific User Through NetScaler GUI?

Question:

Can idle session timeout be configured for a specific user through NetScaler GUI?

Answer: Yes, follow the below steps:

This parameter is user specific and needs to be changed for each user or group.

1. Go to System > User Administration > User.

2. Select the User

3. Modify the idle timeout (In seconds).

Below is the screenshot showing the idle session timeout for nsroot user modified to 9000 sec. The default idle session timeout value is 900 sec.

User-added image

The idle session timeout information can be changed from CLI as well.

Command:

set system user <username> -password <*******> -timeout 9000

Example: set system user nsroot -password abcd -timeout 9000

User-added image

Related:

Clariion CX4-120 Question on Pool LUN Creation

Hi all,

I have a Pool with the following:

RAID 5 Type

Physical Capcity

User capacity 11600.708 GB

Consumed Capacity 11598.708 GB

Virtual capacity

Percent Subscribed 77.6814%

Total Subscribed Capacity: 9011.550GB

There are already 2 Thick LUNs configured. There was a 3rd LUN configured, it was Thin LUN. I deleted that and now I would like to use again the free space I have, but if I try to use it creating a new LUN I cannot see the free space..

Suggestions?

Luca Santerini

Pool 0 configuration.jpg

Pool 0 capacity.jpg

LUN creation.jpg

Related:

  • No Related Posts

FAQ: Configuration of WAN/LAN Ports and Links on Citrix Branch Repeaters Version 6.0 and Later

Q: Does it matter which physical accelerated port on the rear of the appliance I use for my WAN and LAN connection?

A: The use of port depends on the firmware version you are using. For Branch Repeater software release 5.x and earlier, these ports are agnostic. In other words, it does not make any difference. You connect the LAN to either one and then connect the WAN side to the remaining port or vice-versa. However, for Branch Repeater software release 6.x and later, it is important for reporting and traffic shaping features. The introduction of Links and advanced reporting requires these ports to be configured specifically for WAN and LAN.

Q: If I am using Branch Repeater software release 6.x or later, what is the impact if I install these incorrectly?

A: This directly affects the reporting module on the Branch Repeater appliance. If they are connected in reverse, then you notice that more network traffic is received on the WAN than on the LAN. If you notice this in the reports, then this is a clear sign that the ports are not connected properly. It also negatively affects the network traffic shaping feature and might cause performance issues if it is enabled.

Q: How do I know what each port is used for on the appliance?

A: The Branch Repeater User’s Guide provides these details.

Note: The Branch Repeater software release 6.0.1 User’s Guide has incorrectly labeled the ports. However, the correct layout is available in this article and the Branch Repeater User’s Guides for versions later than 6.0.1.

The following are the actual pictures of commonly deployed Branch Repeater appliance:

User-added image

The following images displays specific port orientation on Branch Repeater appliances with two or four port (optional) bypass cards:

User-added image

User-added image

Q: How do I know which port I should use for my WAN or LAN connection?

A: In this scenario link definitions are considered when using Branch Repeater software release 6.x. If you log on to the Branch Repeater GUI and navigate to Configuration > Links, you can see the default link definition as shown in the following screen shot:

User-added image

Make note of the default WAN and LAN links. Each of these links are associated to an apA.x port. In the preceding screen shot, it shows that the WAN link is using apA.1 and LAN link is using apA.2. You must now ensure that the correct physical ports (apA.1 & apA.2) are connected to their respective sides (WAN or LAN).

Q: How should I configure the Bandwidth In and Bandwidth Out values in the GUI for WAN and LAN links?

A: The LAN link should be defined using 100 percent of the LAN interface speed. For instance, for the LAN, if the speed is 1 Gb the value should be 1 Gbps. For the WAN link, it should be set to 95% of the WAN link. For instance, if a WAN link is 155 Mbps, then the value should be 147 Mbps. Refer to the following screen shot for an example:

User-added image

Q: How should I configure the Hardboost or Softboost WAN Bandwidth Receive Limit when QoS or Traffic Shaping is enabled?

A: This setting should be left at default of 1 Gbps or a higher value than the configured WAN link. This is a legacy setting and can be removed in future builds.

Q: When QoS or Traffic Shaping is disabled on the Branch Repeater appliance, do I need to configure the links as mentioned in the preceding Question?

A: Yes, the links must be configured as described in the preceding question as a best practice. Link definition values support the QoS or Traffic Shaping feature so when this feature is disabled, the Branch Repeater appliance does not enforce the values. If this feature is ever enabled in the future, it is best to ensure these values are correct. When QoS or Traffic Shaping is disabled, the Hardboost/Softboost tab setting is what controls the bandwidth, as shown in the following screen shot:

User-added image

Note: The WAN Bandwidth Send Limit setting only appears in this tab when QoS or Traffic Shaping is disabled. If this feature is enabled, only the WAN Bandwidth Receive Limit setting is available. This is by design since the link configuration is what controls bandwidth when QoS or Traffic Shaping is enabled.

Related:

DLP offline incident report identity

I need a solution

Hi,

Whenever we deployed agent configuration enable mode for both corporate network and off network. How i will fetch the report separate or identified for on network incident and off network incident for user. Is there any way to identify user on network activity and off network activity (i.e outside intranet). Please suggest.

Thanks
Suraj.

0

Related:

Data Loss Protection for Mobile Devices

I need a solution

I need to protect my Organization sensitive data from leaking. I have secured endpoints, network and storage but what about mobile devices. I have searched and found that DLP suite no longer supports mobile devices as of V15.0.

How can I secure mobile devices. If someone downloads email attachements containing sensitive data from outside the corporate network.

0

Related:

  • No Related Posts

Detecting Link Failure in Citrix SD-WAN Appliance

Citrix SD-WAN creates a reliable WAN from diverse network links, including MPLS, broadband, and wireless, continuously measuring and monitoring each link for loss, latency, jitter and congestion. Link outages and errors are mitigated by NetScaler SD-WAN’s ability to move traffic off poor performing links without impact to the applications, resulting in predictable and consistent performance. Mission critical applications are always routed across the paths with the fastest transit time, real-time application traffic can be duplicated to guarantee no loss and traffic from high bandwidth applications can be balanced across multiple links to provide high performance for large file transfers.

Complete the following steps to monitor the SD-WAN WAN links and virtual paths:

  1. Log into the Master Control Node or the remote SD-WAN appliance.

  2. Go to Monitoring > Statistics > In the Scroll Menu select: Paths (Details).

  3. Enable the auto refresh option.

    SDWAN_Monitoring

The monitoring page displays the following information:

  • Congestion: detected on a WAN Link is due to increased, unexpected delay in packet flow in the WAN

  • Path State: It could be GOOD, BAD or DEAD. The paths will be marked BAD due to loss, and will incur a path scoring penalty. When path is DEAD is because there is not connection with the other end.

  • Reason: In this field you can find the reason why a path is marked BAD or DEAD. The reason could be:

    • PEER: It means the remote site detected path state changed to BAD or DEAD

    • SILENCE: It means no packets received

    • LOSS: It means some missing packets detected

  • Duration:There are the seconds pf the path in the current state

  • Virtual Path Service State: It could be GOOD, BAD or DEAD. The Virtual Path requieres at least 1 Path up to keep as GOOD.

  • Source and Destination Port: It is the port configured to stablish the virtual path between 2 SD-WAN

  • MTU:It is the discovered MTU valid for a specific path in a LAN to WAN direccion only.

  • BOWT:It meas the Latency Best One Way Time

  • Jitter:It is the statustically calculated Jitter. Jitter is defined as a variation in the delay of received packets. At the sending side, packets are sent in a continuous stream with the packets spaced evenly apart. Due to network congestion, improper queuing, or configuration errors, this steady stream can become lumpy, or the delay between each packet can vary instead of remaining constant.

  • OOO:It means Packets out of order.

  • Packet Lost:It means the porcentage of packet loss

  • kbps:It means the total bandwidth consumed by all packet types.

  • Virtual Path Service Type:It confirms if the WAN Link path is part of a Static or Dynamic Virtual path

Related:

How ICA RTT is calculated on NetScaler Insight

ICA Round Trip Time (RTT) is the elapsed time from when the user hits a key until the response is displayed back at the end point. This is neither calculated by NetScaler nor by MAS. This value is calculated in the XenApp/XenDesktop level, which will be picked up by NetScaler and provided to MAS. MAS displays the value accordingly.

Therefore, ICA RTT constitutes of the actual application delay, which includes:

1. Client OS introduced delay

2. Client to NS introduced network delay (Wan Latency)

3. NS introduced delay in processing client to NS traffic (Client Side Device Latency)

4. NS introduced delay in processing NS to Server (XA/XD) traffic (Server Side Device Latency)

5. NS to Server network delay (DC Latency)

6. Server (XA/XD) OS introduced delay (Host Delay)

ICA_RTT is Not equal to the delays in each of the above added together ( 1 + 2 + 3 + 4 + 5 + 6 ), however all 6 items do comprise the ICA RTT delay. They do not add up as the majority of these values are L4 while ICA RTT is calculated at L7 layer. Layer 7 can be comprised of multiple Layer 4 round trips, so it is incorrect to assume ICA_RTT = 1 + 2 + 3 + 4 + 5 + 6. That said, those times provide significant insight to where an issue may lie and you should use the Layer 4 delays to determine where issues may lie when there are reports of slowness.

One should also take into account that acceptable Layer 4 latency or ICA_RTT metrics and their values are dependent upon the type of content being delivered, as well as various components of your network, servers, and users, so we do not publish “acceptable values”.

Here are Examples of how these values can vary and why it matters.

  • Video or audio streaming can tolerate far more latency to remain smooth without buffering, however jitter and limited bandwidth can cause issues.
  • Audio or video teleconferences would tolerate far less of either jitter or latency, but latency of up to 30ms may be acceptable for audio calls.
  • Desktop apps can tolerate significantly more latency and jitter. However the type of app also makes the requirement vary. AutoCAD for example requires precision with the mouse, and therefore may necessitate low latency. However MS Word has no such requirement, and latency is far less of an issue.

Additionally, none of these latency metrics account for packet loss, out of order packets, duplicate Acks, or retransmissions. Latency can increase when these are occurring, but not always and WAN latency also increases the further away a user is Geographically from the NetScaler, so an increase in latency is not a deterministic relation for any of those TCP issues. Therefore engineers must use judgement based upon data you know about your network, users, and their patterns of usage, and may need to take a NetScaler trace to evaluate if there exist any TCP issues on the user’s WAN link, as those will not be obvious by the Layer 4 metrics shown in NMAS but will cause an increase in the ICA_RTT.

Finally the values are cumulative. Take for example a situation where perhaps WAN Latency is high but generally Ok, and 2 servers, one with low latency and one with high but generally Ok latency. When a user has high WAN latency but connects to a server with low latency, they could have no issues. However when they connect to the server with High latency, it could be Not Ok and cause the user to have a poor experience. This is where ICA RTT comes into play as it gives you a better overall picture of the user’s experience.

Related: