Friday, May 25, 2018

proxy redirection Juniper

For whatever  reason junOS has never support WCCP in a SRX. Why Juniper hates or refuse to embrace WCCP might be the love and hate relationship between CSCO


Okay with that out of the way, I work for a major security  vendor and who has websense web-gateways. I will demo how you can redirect traffic for websense using the  utm-policy in a juniper. keep in mind my  websense target is down, so I can't full show the final trafficflow


To run  redistribute clients to a WSG you will  a few items

1st define the  target utm-filter-web  values. You will need the host:port  and the agreed upon timeout


1.1.1.1:8080 would be my  WEBSENSE

Now, we will call a  firewall policy and us the  UTM webfilter within the application-services



And finally we monitor at the  WSG & SRX  for traffic an utm-statistics






TIP s check the following  for diagnostics

  •  show security  utm web-filte status
  • apply a system syslog file  setting and match for WEBFILTER and any


If you are not getting proper filter and see FALLBACK , that's a good possibility that the  WSG is down.











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \



AV scanner online

I use Sopho on my local macOS machines , and the fortinet Fortigate appliance and FortiCloud v2.0 for realtime AVscanning. This combination has been great.


CalmAV is another solution that just as effective for AV detection but in today's post, we will discuss  VirusTotal as an manual and alternative solution.
http://socpuppet.blogspot.com/2014/07/macosx-desktop-security.html









The virustotal   has  the means for a simple AV scanning and it's free service & now own by Google. It only  requires you to upload the file or run the hash  and compare.

https://www.virustotal.com/
https://en.wikipedia.org/wiki/VirusTotal


They have both daily  and size limits,  but they are reasonable. I will demo a file upload and  the list of AV scanner that scanned my file for virus detection using  the EICAR testfile which I crafted locally in a text  format.












Scan results depends on the following 1> file-size  ,  2> how busy the site  and 3> how fast you can upload a file.







NOTE: I had to disable my local AV client (  Sopho ) and my Fortigate-Firewall  from AV scanning  for this demo to work in this blog . These two  AV protections are a great combo.


The general population thinks that  you need a super duper  & high $$$$$ analysis service in order to  scan files. That's not  exactly true.




 Keep in mind , that any thing free  is just that, " Free". So don't try to compare virustotal to forticloud or wildfire analysis engine both of which  I have over  combined 7+ years of  experience with. VirusTotal will do a  decent job for the most part and if you want to analyze a file of many different file types.


 I will demo my  FortiCloud Setup &  in my next posting . This ( FortiCloud l )  is a solution for  a simple , affordable  sandbox'ing,  and with HTTP services or any other  services that you  use for downloads or files-sharing. It's easy as 1-2-3 to setup and only requires a Fortigate Firewall.

BTW ( I'm a big pfSense and OPNsense user  for the opensource networking and firewall community )


The openSource "pfSense Firewall"  also has  decent  AV pkg  FWIW. So  again,  "   !!!!  no excuses exists for  being infected via malware !!!! "

Realtime scanning is a must and along with realtime reporting.

http://socpuppet.blogspot.com/2013/02/pfsense-hvap-anti-virus-for-http.html
https://opnsense.org/









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

Sunday, May 20, 2018

Runnng caddyserver and quic



quic is  very good for speedy websites. It's actually quick !

 https://en.wikipedia.org/wiki/QUIC

The caddyserver supports the quic protocol and you  can play around with  quic. It's great for demo and testing and practical free in student/developer environments.


Here, I built a caddyserver and enabled the quic protocol


e.g ./caddy -config ./Caddyfile -quic 

My caddyfile contains;



By using Google Chrome we can monitor the internals network status and  by clicking on any active quic session we can pull details  on that connections



DTLS traffic for my mock website  https://www.1plus1eq2.com ;
 NOTE: notice udp-protocol










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \






Thursday, May 17, 2018

JunOS upgrades

In the JunOS land we have some new features in JunOS that will be tackle here shortly. I had to  get some gear up on the latest versions in my current  family   15.1x49.130



Stay tune, junOS is rockin for Y2018 more good things could be coming out of the juniper camp.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Forcepoint NGFW tcp.mss clamping be aware

Testing some  tcp-mss adjustments in the Forcepoint NGFW, I found a strange and awkward behavior. If you set the tcp.mss enforce to a range that outside of the  physical MTU interface on the NGFW , the firewall will drop these tcp packets and will not provide any log_browser output. Here's any example of a    byte range 1461-1461 for a 1500 byte ethernet  LAN segment



Juniper SRX and Fortigate will ignore any  value outside of the range of the MTU. Once cool point on the  Force NGFW, it will honor any tcp.mss value even to 1byte. Other vendors will disregards settings that load. FortiOS default to  48 bytes regards of what value  you  set for tcp-sender that's fall below 48 bytes. I believe this is due to the internet   RFC has a minimum  size value for TCP

1P+TCP.HDR+PAYLOAD







So if you  set tcp mss values out of the range for the ethernet segment for the firewall be aware the Forcepoint NGFW can drop these packets with no warning.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 





FortiOs version 6.0 admin-cert keysize

The  admin-certificate for the webAdmin interface does not  seems to like 8k bit keysizes. I crafted a widlcard  AltName certificate and loaded with in the fortigate and select the cert and it spit out complaints in all of the browsers with SSL protocol can not be negotiated.



{ NOTE: the webgui certificate details will not show the or list the keysize, use openssl, gnutls-cli or openssl }




Now here's a 4096 bit keysize being deployed in a FortiGate version 6.0 and it has no issues. So 2/4k bit keysizes seems to be the only support certificate sizes at this time.






Thinking  it  was maybe due to it being a SANs certificate, I craft a nonSAN and had the same issues so 8k bit size is a nogo for the admin certificates.













 I will  test the same certificate for SSLVPN later in the month.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 







Tuesday, May 15, 2018

RBL tracker services

The RBL tracker is a system used by major email  senders that can report on  blacklisting of any of your  public address.

They offer  bulk discounts but you need high amount of address to see any benefits. They also allow a API post callback so if you want  alerts via  api post.

Here's a few  screenshots of the service with the  cost-calculators using an extreme  1hour vrs 48 hour check intervals















NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \