There's a key?!

by ‎03-14-2017 04:28 AM - edited ‎05-11-2017 08:06 AM (824 Views)

Every door has a key. Did you know your firewall has one too?

 

To ensure your private data is safe, any passwords or private keys contained on the firewall are hashed and encrypted, respectively, in the config file. In case someone were to get their hands on your configuration file, they will not simply be able to read your sensitive information:

 

<users>
      <entry name="admin">
        <permissions>
          <role-based>
            <superuser>yes</superuser>
          </role-based>
        </permissions>
        <phash>$1$ghehiqiw$Ir5FpVWY1qLJW0g6zous81</phash>
      </entry>
      <entry name="gateway">
        <subject-hash>748b4cff</subject-hash>
        <issuer-hash>23c12542</issuer-hash>
        <not-valid-before>Mar 12 12:04:51 2015 GMT</not-valid-before>
        <issuer>/CN=rot_cert</issuer>
        <not-valid-after>Mar 11 12:04:51 2016 GMT</not-valid-after>
        <common-name>gateway.example.com</common-name>
        <algorithm>RSA</algorithm>
        <expiry-epoch>1457697891</expiry-epoch>
        <ca>no</ca>
        <subject>/CN=gateway.example.com</subject>
        <public-key>
------BEGIN CERTIFICATE----- MIIC6TCCAdGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDFAhyb3RfY2VydDAeFw0xNTAzMTIxMjA0NTFaFw0xNjAzMTExMjA0NTFaMBgxFjAUBgNVBAMTDTE3Mi4xNi4zMS4yNDcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbPFB4pYn8m0yE2wA0tv59vn/5TfshwxbHsqm9g5uA4MAWegT/x/7wtniS+VtNWM1h58dB/t3M8207hYSexpVQ1BDf0/AbrTEXSpmNclfssushuUda5bhyDmp9dSd01TZbDPX/I5+5BlYPCOYaXmfzz1XnZwncUHFb79e5YSD3hIkYGnIIZ+zEzPkLHCgxkeGgK2NEOhAo8hHb8Yju0grXvqov7UkSsMZ60ltxc7F2Hcst2ys0BDfspq+RDSgQ/rwjkkUzHDVFjZkohMSVQyle+IrlzV5WaUQoG8KHbg7cTtPuYmYl8ntGvbSKIVMBofvKp+YHu0gFIqVDOA3eEUuhAgMBAAGjQzBBMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgO4MCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwUwDQYJKoZIhvcNAQELBQADggEBAEtB9eTUbZRyOAqY1AZunVU8CYNv9fxoG0GA6o1dKGqSkFzL3CtFpWrIr7IN50P1ieiUZWE1+0863t+dEFo7+I0nN2dloXtxfsbxooD7c9gUj9D7XKGW9Ym41aRORE2bElOtOXAxRuoY+fpBWHkv3l60JskjfjjePfvDEqaJFbd6MkTTP8GfRj+Ob/2pSbnU5jid+B+vcLPjbpObqBn4UFxDvvIM91V5b0wMqwlyXBdpQhduTjsUt/w+cQmkov60hjzXbk0uUZxEXl3gnHuEfK1jhrsOxrLXg0p4RLp3Rx+aK3eIdyQ4UmGi7sR3jgk+T8NOBnUGC9+UidvNLPitnyE= -----END CERTIFICATE----- </public-key> <private-key>
-AQ==4rjHgwi9/fjqeSdPmjREP63gUiw=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+vmQugtSrA952XGaQ20AVyRKtvDG7LjqcmxjRd5AADqqSzstrog6os7t1oYfc1BtoEARCIkXYf/2TlYyEUHXKbObyRdfjTuuOcFFJvG1QG5tV47wcJ+Jtr8fUHYba1xTl+OIzFQnzmE7ZKa9yWDy8WprI3IFXf+5hgNujBkzJ6I1WUODIfjK/SY42/ywW+cPRz3Dgh9GGKhNZY/PKCXff6QUtuIey8/b5G3j/rOXpx62CK1jVubtebFqRJNVJUl1oIHN64d1nS/wwCvakzPdHruxg+2eCv2zrrtlS9663hgbX08JFycywf8x5FzC4JEhndf4nXcAhpWAw6m3DGe8APe0ybrOJ7DgwdH/9oUe+m6m7kOjx1aX8KcPNprCkwX2mPslK+upbHhqZoUUX3PQ0yuat1Zo/Dy/COrN/1ISS7/CJGm8ZK7FPDh/kS9ZT6aD7/f2k41zxbPQtEhEKFz3jw11P4g20zCwa998ani19SVMPWkqphlE7PZ3qQV1wLTl1E8Z31B3Y0micKLpvzLPBcWrfo3QlmJU9zmCA3/uHhoapzzNLO4DUW2mvtIYxtqfzK8iKzd2FyQ4ezmE5DTYdRsOVE1FXFoHOwDI1VM3QOu6SvSv0LnHRF6ct51FsCljf7hKm7cfWXgI2DixzcPTIYTi3qq+TfTLMGw1mdw28/Ex7+QI5LGDk+2UoQuoawWm1EbvaozFiFCG3rkoPFWEZLzsHsrFMK3ZUzcebCd+2NmZ/2CgG4/2HLNKaj8I2L3aPclg2KiILOm3oqf+rewnrgIe4coqN+jlGD+/jnFQTff1/ZPxXhGmc8D52cBjOQgXTH4K4SogqI9XGvk7f7O4CCl9PaZzPovn1BqmUQ3t4OTTDbIAlS+GksHbXmglFDdtKqRftzrP4W+eyKC4fPNd7bCZjZ9cu7dIkc4+bewzRdsmd8wl9ypgTHeLXwu1vZMWDs65T9aukc2Z54uyOdMMmTL/P+iViAEa/J5oBMFx9g791QzYRWz/B2q+cMYyK0od5sY2dYEuFQNJ61jDwr2DzCcayR8Chdk4/rv4krW6DGaZa6ANdiyN/r6CCT44TEWOzzBIr2hrswkM9HyuIV3HFibMwpCshLwaayBJDxql423m0o7Llu2ApfbbdxLcrcNxWfh3gf+9bHWEMuRSzX91ODb/mZZqhPFuuDO4+cpoqe3aWgGukEstU704ZEkLiXt6inXwDo1xan2fc29vjpV4Rs91eTEGT0wB2GzRjy9DiIy9qvLgnogYmBlDDYRiEo1HZew4sXZCKEaLXWvmCvhvpwVb6SFxT91CZjPb/q6IWGp/qCozmChafd1clKkdQapIOt+IbOv6/yGzsQ9NGS3MqrIRqhijtuPIcgd/4wTuGiNxvRDJv0eFQtt1ArsZTHp8CP9NfHU2himtHdbVgPaNWC8dFApS0WxqqIDYjWvNmmrmHXXHo4hGUFkfRXIUL4Rga1JFhi6ZwZGTFk/wEiXO1RKDUBBZNmwo2UHlWz/1+z9vt9htH/MsQEam+WdnaQ+x549alR6FESYq01btSbc0MAseEsVZHsWcJoRWKPW7X7uvY2dSQsjEpN87pDnySfzSzV8rNMDqBs9O71pTsT7AYObWiy6frb65iEQKz5xiefGULSJvq1m8AS3dwi1TjBGol2emqOXQc0sAt0PRqwN5YjnkYIH+2CkNhGT/1+geZA7H12rTb/3wYnmkGV7d7xSacRqfM2tLTPHfVZRsoetwWejXPrHlCJ0B3S/pzFYzAh67dsW9xUjg+GfmBS8jg1VwyD55Bz4S1ZW+I3MMjY1cVfmABAhRpnbXxKzUXA0OlWjjXtZIci7yqDeUxbO6GzoJGrCW1f+6svV/lA7/zPptiBxeo09Mv49k0Pgyp7APujW+z0B3CZIVO9xDF5g2hrAzVLGKCq5uK1r6X2ZrPzm+Rg87qUCCF/+jJ5my9+OImz83WfdeTqkg29XDoD1ytrSHN0GacMdc00cINxP1xT1Q9VM2WnwqhjM1CHJIpkmUP/WCfL9fEkM2b6o7my6yZj9YscOrCyhVIqgO1a8Zvz/uU1vXHFoCa2h8bK/frgQl1iWfeVOwR6wU2Rt5ThYDhrWt2AbHy3gubqWodFp+oBDwv/RHrpRZ/Wl4g3QO1Z+r1/kt7RnG7WeQ/M4m8IUIvIq+GphoHVlhgqrCvSrNP4d9pnR
</private-key> </entry>

But what if someone simply imports the configuration file onto another similar firewall?

 

Since all factory default firewalls (the way they come out of the box) have the same factory 'master key', the configuration file can be shared between similar devices and your administrator accounts and certificates will be directly available for use. This is great for migrating configuration but could pose a security risk if someone were to get your config file.

 

To ensure your private data remains private, the master key can be changed to a key of your choosing:

 

At the bottom of the left-hand menu of the device tab, you can access the 'Master Key and Diagnostics' options.

master key.png

 

Here you can change the Master key to a new 16 character string. The first time setting a personal Master key, the 'Current Master Key' field can be left blank, the next time it is changed, the previous Master key needs to be entered.

 

A lifetime can be set between 1 hour and 2 years (730 days), but beware: once the Master key expires, the system will reboot into maintenance mode and can only be recovered through a factory reset (so use the 1 hour option only when there is an urgent need do it, like in a James Bond evil villain scenario with a giant countdown clock and sharks with lasers on their head).

 

An automated reminder can be configured to create a system alert to let you know the key is about to expire and needs to be refreshed (this alert can also be included in log forwarding profiles).

 

 

Hope you found this information useful!

 

Reaper out

Ask Questions Get Answers Join the Live Community