Skip to content

CrowdSec Security Engine 1.5 is officially here!

The biggest release since 1.0, CrowdSec Security Engine 1.5 brings you new features, major enhancements, and more control of your security management. Discover all that is new in 1.5 and how to get started in this article.

 

We launched a private preview of the CrowdSec Security Engine 1.5 to our community members in March to allow them to test it out and give us feedback. After a few months of testing, it was clear that the CrowdSec Security Engine 1.5 was ready for its debut by the end of May. So here it is, new features, major enhancements and more ways to manage your security. Check out all the updates and what’s new below. You can also read about the increased performance and faster response times when processing high volumes of logs that our community members experienced with the CrowdSec Security Engine 1.5. 

“We are delighted to announce the launch of CrowdSec Security Engine 1.5 today. Following our last release in February 2022, we have been busy listening to our users to deliver a new version with significant enhancements, including the ability to receive “orders” from the console. We have also developed several new features, including compliance and post-exploitation scenarios to the engine. We are also hugely grateful to the CrowdSec community that has been busy testing the release over the last few months to ensure a smooth and successful roll-out for all our users. ” – Thibault Koechlin, Chief Technology Officer, CrowdSec

Polling API Integration

With the polling API, the Console can now send orders to the CrowdSec instances. Allowing users to manage their decisions (banned IPs at a given time). Let’s dive into what that means. 

Real-time decisions management

The new Polling API gives you the ability to complete real-time decision management within the console. For users with many instances, you can now ban IPs on all of your instances at once, all from the comfort of a single page, rather than running an automation script to update all instances. A great timesaver for SecOps teams.

Teaser: Secure and custom configure the fleet of instances from the Console

In the future, the polling API feature will allow users to set up parsers and scenarios directly from the CrowdSec Console.

New Blocklist API and Premium Blocklists

We recently announced the external IP blocklists which allow all of our users to subscribe to at least 2 (new) additional blocklists created by the CrowdSec team, in addition to our community fuelled blocklist to better protect your instances.  

Viktoria Rei Bauer (@ToeiRei on Discord, Twitch, and Twitter), CrowdSec Ambassador, saw a 190% increase in blocked IP addresses after implementing CrowdSec’s new Blocklist API and subscribing to 2 new blocklists. 

“My average number of IP blocks was 2,000 per day. The day isn’t even over and I’ve already blocked 6,000 IPs.”

The chart below shows the impact the blocklist subscription made to Rei’s CrowdSec pfSense deployment. The red line shows the implementation of the blocklists that resulted in a 183% increase of malicious IPs blocked, peaking at a 400% increase.

Kubernetes audit acquisition

The feature we presented at Kubehuddle UK 2022 is finally here:

Kubernetes Cluster Monitoring now gives our users the ability to monitor and protect their whole K8s cluster, and not just the services running on it.

S3 audit acquisition

CrowdSec now supports reading logs stored in S3 bucket, allowing you to process logs generated by AWS services (such as ALB access logs or Cloudfront logs).

Auditd support

Allows for the detection of “Post Exploitation Behaviors”, including:

  • base64 + interpreter (perl/bash/python)
  • curl/wget and exec
  • pkill execve bursts
  • rm execve bursts
  • exec from suspicious locations

CrowdSec CTI API helpers

You can now query CrowdSec’s Cyber Threat Intelligence (CTI) from your parsers and behavior scenario thanks to our new CTI API, allowing you to react to each threat differently according to each IPs reputation and classification.

This new CTI API allows CrowdSec and the CTI to be more interactive with each other, allowing users to query more information around a specific IP. For example, you can now query the machine’s usage, as well as the type of attack it relates to. CrowdSec is now able to query all this data in real-time, helping users to detect false positives, and also reducing alert fatigue. 

AWS Cloudtrail Scenarios

Thanks to 1.5’s new behavior detection capabilities, we were able to create an advanced AWS Cloudtrail scenario helping you to detect and better understand what’s happening on your cloud. Below you can see a list of activities you are now able to detect.

  • Detect AWS CloudTrail configuration change
  • Detect AWS Config configuration change
  • Detect AWS console authentication failure
  • Detect AWS IAM policy change
  • Detect AWS KMS key deletion
  • Detect login without MFA to the AWS console
  • Detect AWS NACL change
  • Detect AWS Network Gateway change
  • Detect AWS root account usage
  • Detect AWS route table change
  • Detect AWS S3 bucket policy change
  • Detect AWS Security Group change
  • Detect AWS API unauthorized calls
  • Detect AWS VPC change

Feature flag support

This new feature allows us to have some features within the Security Engine that are disabled by default but can be activated manually by the user.

This will facilitate the inclusion of beta features safely and give more chances to the community to preview what’s coming and help us test the features in a range of use cases. 

Detection Engine improvements

  • Conditional buckets: an improvement of our behavior detection system allows for more complex expression for the alert triggering mechanism
  • Event data stash: allows parsers to capture data for future enrichment. Adding the capability to detect advanced malicious behaviors

CAPI Allowlist

While the community blocklist is highly curated, and designed to avoid false positives, sometimes a shared IP used by both innocent and malicious actors will end up in it, so we’ve added the capability to create allowlists that can also be applied to the community-powered blocklist.

Conclusion

We would like to thank our community of users who have helped us reach this major milestone! Thanks to your feedback we have been able to create a release that truly caters to your needs and enhances your use of CrowdSec. 

Interested in using CrowdSec Security Engine 1.5? If you haven’t already, install the CrowdSec Security Engine and then, sign-up for the CrowdSec Console. We will also be hosting a live webinar to go over all the new features and enhancements! 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CrowdSec

Thibault & Philippe, two of CrowdSec’s founders, used to work in high security hosting, which was a relatively new field back in the 2010’s. They designed a protection stack which would also block IPs that made violations.

One day, one of their clients, a famous sports-oriented e-commerce shop was under attack. It was not a real problem since it was protected by a robust stack, but the hacker used more than 3,000 IP addresses to try to attack the website. This event caused the idea that would be the genesis of CrowdSec.

New IP External Blocklists

All users on the CrowdSec Console can now subscribe their instances to third-party blocklists cherry-picked by our expert team. With these 14 blocklists, including 3 premium ones, you can secure your systems against VoIP fraud, botnets, and more.

We are excited to announce that we just released the new Blocklists tab in the CrowdSec Console. All users can now subscribe to two of the 11 free third-party blocklists. And, if you are an Enterprise user, you have access to 3 premium blocklists with no limit to the number of blocklists you subscribe an instance to.

The Blocklists you can subscribe to

The blocklists contain IPs that come from various proxies, tor nodes, and known scanners. One of the blocklists you can find is the Firehol voipbl.org list which includes a distributed VoIP blacklist that is aimed at protecting against VoIP fraud and minimizing abuse for networks that have publicly accessible PBX’s. Another is the TOR Blocklist which contains tor exit nodes’ IP addresses. You can also stay protected against IPs belonging to botnets with CrowdSec’s very own aggregated list (part of the premium blocklists). 

Bots and attackers often try to hide their malicious activities using proxies and tor nodes. Therefore, once you have subscribed to one of the blocklists, you might want to apply remediation to those IPs, either by blocking them, validating they are genuine humans via CAPTCHA, or any custom remediation you might have implemented on your bouncer.

Dive a little deeper

Before subscribing to a blocklist, you can see the number of IPs the list currently has as well as how many have been added and removed in the last month and in the last 2 days. 

Information for the Firehol BotScout Blocklist

All of the third-party blocklists provided were cherry-picked by the expert team at CrowdSec from reliable websites.

How to subscribe to a blocklist 

Log into the Console, and click on the new ‘Blocklists’ tab under Instances. Click on the ‘Subscribe’ button next to the blocklist you want. You can then select the instances from your park that you’d like to subscribe to this blocklist and then, choose what type of remediation should be applied to this blocklist.

https://www.youtube.com/embed/GUOUGZHIGDM

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CrowdSec

Thibault & Philippe, two of CrowdSec’s founders, used to work in high security hosting, which was a relatively new field back in the 2010’s. They designed a protection stack which would also block IPs that made violations.

One day, one of their clients, a famous sports-oriented e-commerce shop was under attack. It was not a real problem since it was protected by a robust stack, but the hacker used more than 3,000 IP addresses to try to attack the website. This event caused the idea that would be the genesis of CrowdSec.

支援多種MFA,Awingu提供安全存取程式與檔案的網站入口

透過在企業與組織內部網路環境架設虛擬應用設備閘道,Awingu提供以瀏覽器存取企業應用程式與檔案的安全管道

為期超過三年的COVID-19疫情,居家辦公與混合辦公崛起,不僅支援多人協同作業的雲端服務走紅,也替提供遠端存取服務的IT應用帶來龐大商機,為此,這幾年以來,臺灣有些代理商陸續引進新的遠端安全存取解決方案,我們要介紹一款由台灣二版代理的Awingu。

其開發商Awingu是在2011年成立,總部在比利時的根特市,2022年6月Core公司將他們買下,預計將其併入2018年買下的Parallels品牌——該公司最知名的產品是個人電腦虛擬化軟體Parallels Desktop,也擁有支援多人遠端桌面存取服務的Remote Application Server(RAS),Core希望將Awingu結合RAS,提供可從任何裝置、隨時隨地皆可安全進行工作的單一登入存取平臺,並且能涵蓋傳統與雲端原生應用程式,以及檔案的存取。

  

而在這一年的9月,Corel公司宣布改名為Alludo(可念為All You Do),Parallels名列此公司旗下的10大品牌,下轄Awingu、Parallels RAS、Parallels Desktop,到了12月,Awingu宣布推出最新版5.4。

今年3月,台灣二版透過線上研討會形式正式對臺灣市場介紹Awingu,我們也得以一窺這套解決方案的特色。基本上,Awingu有點像VMware Workspace ONE的前身Airwatch,但它不涉及行動裝置管理(MDM)、統一端點管理(UEM)等使用者端設備管理,而是偏重在應用程式與檔案的傳遞/交付(delivery)。

就操作方式而言,Awingu更像僅聚焦在應用程式虛擬化(Application Virtualization)或遠端存取應用程式功能(Remote Application)的這類產品或雲端服務,像是:VMware Horizon Apps、微軟Azurer Remote App(2017年8月終止服務),或是前身為Citrix Virtual Apps and Desktops service的Citrix DaaS。

而在系統建置的部分,比起上述類型的軟體型態解決方案,Awingu僅需在公司內部網路或公有雲的私有雲內部,架設虛擬應用設備作為轉接連線的閘道,員工僅需透過個人電腦的瀏覽器存取單一網站入口,即可透過RDP、CIFS、LDAP等常見的標準通訊協定,安全地連至運作在這些環境的各種新舊型應用系統與檔案儲存服務進行存取,而不需仰賴傳統VPN這類設定較為複雜的加密網路通道服務,或在個人電腦額外安裝個人端加密連線軟體。

  

在網路連線串流的負載能力上,一臺Awingu虛擬應用設備最多可同時承擔500個RDP連線階段(至少需配置8顆虛擬處理器與8GB記憶體的資源),若需要支撐更大量的連線存取需求,原廠建議可設置3臺虛擬應用設備來處理。

若需承擔超過100位的重度負載用戶同時上線存取——每人開啟3個RDP串流連線、10個連至反向代理的網站應用程式存取活動,以及每小時處理多個檔案,此時,可設置多臺Awingu虛擬應用設備節點組成叢集,以便分攤工作(原廠建議單一叢集的節點最好不要超過8臺),而在多臺節點並行的狀態下,會區分為3種角色:前端(負責RDP與檔案存取活動)、後端(負責稽核)、資料庫(存放Awingu組態、稽核記錄以外的資料)。

如果要承擔超過200位用戶同時上線或為了具備高可靠性(HA)預防此項服務停擺,企業至少需建置3臺節點與外部資料庫,此時也能設置外部負載平衡器

在頻寬用量上,台灣二版表示,相較於市面上其他遠端應用程式串流存取產品,Awingu算是相當輕量,每個應用程式存取連線需要80 Kbps到100 Kbps(上傳與下載),存取延遲可低於350毫秒,甚至能低於60毫秒。

從上述Awingu網站所公布的技術架構來看,似乎和SSL VPN這類過往我們所瞭解的遠端安全存取的做法相近,對此,我們也詢問台灣二版,他們表示,Awingu分為兩個區塊,前端是使用者看到網頁顯示應用程序部分,後端則是伺服器群RDP或者是CIFS等服務的連線設定,會比SSL VPN或IPsec VPN的部署相對簡單,而且,在安全防護方面,除了有SSL連線加密,使用者登入時可以設定MFA,個人端無須加裝任何代理程式,所有的工作皆可透過瀏覽器完成。

在身分認證的強化上,相較於現行的各種遠端存取應用程式與檔案服務,Awingu最大特色是同時提供單一登入整合(SSO),以及多因素身分驗證(MFA)。以前者而言,可整合AD、LDAP,支援的身分來源(IDP),包含ADFS、Azure AD、Google ID等,它們都是支援SAML v2或OpenID Connect。若使用SAML來驗證,此時還可通過上述基礎IDP驗證後,再進行中介IDP的驗證,例如能搭配另一家資安廠商Opswat的產品來查驗身分,以策安全。

  

而在MFA的部分,Awingu可支援雜湊訊息認證碼、基於計數器而更動認證因子的動態密碼(HMAC-based One-time Password,HOTP),或基於時間而成的動態密碼(Time-based One-time Password,TOTP)。

目前可提供這類身分認證的軟體工具選擇不少,以手機App而言,最知名的有Microsoft Authenticator、Google Authenticator,資安廠商Sophos、雲端通訊服務業者Twilio也提供這類軟體,前者有Sophos Authenticator,後者推出可安裝在Windows、Linux、macOS的Authy,這些均可用於Awingu。

除此之外,Awingu也支援智慧卡,目前已測試通過4種:比利時電子身分證(eID)、荷蘭Dutch UZI pass、義大利InfoCert Business Key、歐洲Isabel SmartCard。

  

而在能夠進行遠端存取的應用程式上,Awingu目前支援串流及網站等兩種類型,前者可囊括RDP應用程式、桌面應用程式(非指令型應用程式)、遠端應用程式(RDP協定的延伸),後者則有網站應用程式與套用反向代理的網站應用程式。管理者若要將這些應用程式納入Awingu,可手動透過網頁介面逐一設定,或匯入CSV檔而能一次設定多個應用程式。若要自動安裝、設定、管理,Awingu也提供REST API。

關於一般使用者的遠端存取操作與管理功能,Awing還提供多個實體螢幕對應多個瀏覽器視窗的配置、應用程式連線階段列印(虛擬印表機)、應用程式連線階段畫面共享,以及使用全程的稽核記錄(Application Recording,錄製檔案可存放在Awingu虛擬應用設備的本機硬碟,或是管理者定義的後端伺服器)。

在稽核記錄的收集上,Awingu可涵蓋的範圍相當廣泛,包括:使用者、應用程式、網站應用程式、共享應用程式、身分來源等連線階段,應用程式閘道、檔案存取動作(透過Awingu網站入口操作的檔案),以及各種異常活動。

  

  

  

產品資訊

Awingu 5.4
●建置方式:需設置虛擬應用設備,系統需求為2顆vCPU、4 GB記憶體、80 GB硬碟空間
●虛擬應用設備支援平臺:微軟Hyper-V 2016
2019、VMware ESXi 6.5至7.0、KVM、Citrix Hypervisor 8.2、AWS Amazon EC2、微軟Azure、Google Compute Engine
●支援資料庫系統:微軟SQL Server 2016、2017、2019,PostgreSQL 9.4以後版本

#歡迎洽詢台灣二版資安專業團隊,服務電話:(02)7722-6899,或上官網查詢:https://version-2.com.tw/

媒體報導轉載:iThome (https://www.ithome.com.tw/review/155887)

How to integrate Jumpcloud and Awingu

Cloud access management has become increasingly important for businesses of all sizes, as an increasing number of employees work remotely and rely on cloud-based tools to stay connected and productive. Azure AD is the most popular solution, but more companies are also looking at solutions like JumpCloud for managing cloud access. In this article, we will explore how easy it is to integrate Awingu and JumpCloud by using the custom SAML app.

Step 1: Create Awingu in JumpCloud via the Custom SAML App

The first step in integrating Awingu and JumpCloud is to create a custom SAML app in JumpCloud. SAML (Security Assertion Markup Language) is a protocol used for single sign-on (SSO) authentication, which allows users to log in to multiple applications with a single set of credentials. Awingu supports SAML 2.0, which means that it can be integrated with JumpCloud using SAML.

To create a custom SAML app in JumpCloud, follow these steps:

1. Log in to your JumpCloud admin console and navigate to Applications.

2. Click the “+ Add New Application” button and select the “Custom SAML App”

3.  Enter a name for the app (e.g., Awingu) and on the SSO page set following parameters:

As Awingu only supports Service Provider initiated authentication, the following settings are also mandatory:

The last step is to create two attributes that can be passed on as claims to Awingu. The first one needs to correspond with the UPN of the user in Awingu’s local AD, and the second one will be used as the user display name in the Awingu user interface.

In this example, the UPN matches the email address of the user. If this is the case, you can also create a custom attribute for the user and pass this custom attribute to Awingu:

4. Before saving the application, make sure you assign the right group of users to this application and click “Save” to finish the creation of the SAML app in JumpCloud.

5. Once the app is created, select the app in the list of applications and download the XML metadata file by clicking on the “Export Metadata” button.

Once this is done, you are ready to configure the Awingu side.

Step 2: Enable Federation on Awingu

The second step in integrating Awingu and JumpCloud is to enable federation on Awingu. Federation is the process of establishing trust between two identity providers (in this case, JumpCloud and Awingu) so that users can log in to Awingu using their JumpCloud credentials.

Before you start the Awingu configuration part, make sure you know the username and password of the built-in management user. This is the user account that was created during the initial installation of Awingu. If you have activated pre-authentication or single sign-on within Awingu and you have a problem with the configuration, this is the only account that still allows you to login. All other (admin) users will no longer work as they will be forced to go over to the IdP, JumpCloud in this case.

To enable federation on Awingu, follow these steps:

  1. Log in to your Awingu appliance with an admin user and open the system settings.
  1. Go to “Configure” -> “User Connector” -> “Federated Authentication” and set the Type to “Pre-authentication” and the Protocol to SAML”.
  1. Set the Entity ID to “Awingu” and upload the Metadata XML file downloaded earlier onto the Awingu appliance after switching the Metadata Type from “URL” to “XML”.
  1. Set the Username & Display Name claim to the same names as set on the Jumpcloud side, in this example “username” and “displayname”.
  1. Set the Workspace URL to your public Awingu DNS name.
  1. Click Apply.

Once this is done, test your configuration by opening an incognito web browser window and go to your Awingu URL. If all is correct, you will be redirected to JumpCloud.  After a successful login to JumpCloud, you will be redirected to Awingu, and Awingu will ask you to type in your password. This will be your local Windows AD password. No need to panic, this is normal behavior as we only have activated so far in the “pre-authentication” and not yet the full single sign-on.

In case something goes wrong, and the pre-authentication is not working you can still login to the Awingu appliance with the built-in management user. To do this, open a new incognito window and go to https://your.awingu.url/login?noPreAuth (be careful, this is case sensitive). This will allow you to login and make modifications to the configuration.

Step 3: Go full Single Sign-On in Awingu

Once you have a working pre-authentication and know the integration with JumpCloud is done correctly,  you can go to the last step, which is switching the Federation Authentication type from “Pre-Authentication” to “Single sign-on”.

This last step is independent from the IdP that is used (JumpCloud in this case) and will remove that popup for the local AD Windows password. You’ll need to make Awingu a sub-CA of your Active Directory. By doing so, Awingu can generate user certificates and then via Kerberos and other standard Windows protocols, Awingu can let the user login to the applications and drives without the need of a Windows password or without the need to install any Awingu software onto the Windows environment.

Have a look at this video: https://youtu.be/8343EIAVHns or to the admin guide to learn more about how to generate those certificates. Be careful, because certificates and Kerberos are sensitive to DNS and other details. Follow the instructions to the letter to make it work.

Once you have uploaded the certificates to your appliance, your users can log in to Awingu with their JumpCloud credentials. This means that you can manage cloud access for your entire organization using a single platform (JumpCloud), while still providing your users with a seamless login experience.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Parallels 
Parallels® is a global leader in cross-platform solutions, enabling businesses and individuals to access and use the applications and files they need on any device or operating system. Parallels helps customers leverage the best technology available, whether it’s Windows, Linux, macOS, iOS, Android or the cloud.