Thursday, July 30, 2015

ipv6 address huawei firewall series

The huawei series of  firewalls supported  ipv6 within most  code versions. The Eudemon  have been very reliable for ipv6  inspection and filtering. Huawei is a major contender in the Asia market  ( China & Japan ) is one of the major consumer of ipv6 address usage.

http://www.huawei.com/en/solutions/broader-smarter/hw-092950-ipv6.htm

To configure ipv6 on a firewall interface, you only need to enable the  ipv6 function and set a address. If you want to allow rt-adv for SLAAC clients,  you can specify  prefix(es) to be advertised.

Here's a few examples of various ipv6 interface configurations;

Single prefix with route-advertisement



Interface with numerous  ipv6 addresses



Interface with numerous  ipv6 with 2 prefixes RT-advertisements

 
Interface with numerous  ipv6 eui64 address




 ipv6  must be enabled globally & if not you will receive the following  error



Useful ipv6  display commands

display ipv6 routing-table
display ipv6 interface brief


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Wednesday, July 29, 2015

ipv6 RA security concerns

Here I wanted to discuss some ipv6 RouteAdvertisement concerns. For devices that uses autconf aka SLAAC ( Stateless Auto  Configuration  ) The RouteAdvertisements are crucial. This ( SLAAC ) is the most widely used method for the assignment of ipv6-prefixes for ipv6 enabled  hosts.

Most firewalls support prefixes assignment and default-gateway  detection within the ICMPv6 packets that's used with RT-Advertisements.

The general concept is for the client to solicit or wait for regular advertisements to find the useable ipv6 prefix(es) and gateway information.

1st off the biggest security issues within a ipv6 networks is the  risk of a imposter/spoof of the ipv6 gateway. With in cisco and most other  routers, you have the  means to ensure the preference is set for when you have 2 or more ipv6 gateway and that's  serving the local LAN.

In most IOS it's configurable via the following command on routers or L3 switches.

ipv6 nd  router-prefernce  high | medium | low 

But for  the commercial firewalls,  we don't have this option. Outside of a OpenSourced firewall platform ( pfsense/linux/etc....)  the general router-preference within the RT-advertisement is set to  "medium".


A juniper SRX configuration with aggressive intervals



So what this means;
  • A imposter could hijack your  ipv6 host default gateway
  • A imposter who spoof's your firewall link-local address , could construct a RT-Advertisement and direct all traffic  hijacker
  • Your xposed to a MiTM  attacks
  • A imposter could play-back forged RT-advertisements and disrupt  connectivity
  • A imposter could inject a spoof rt-advertisement with the  default life-time set as zero  hence making that  router inactive


 if you find yourself getting an ipv6 prefix , but with no ipv6-default-gateway, than 9 out of 10 times;  it's a bad router defaultime value set as "0"

Okay  so the only why we can protect our selves,  is to deploy ipv6 spoof protection which is available within  Cisco and Juniper  L2/L3 switches. Now this protection would prevent spoof'ing and protect us from untrusted  ports.

e.g  (  sample cisco 2960S configuration )

int gi 1/0/1
 ipv6 nd raguard attach-policy HOSTONLY-RA
 ipv6 nd inspection attach-policy PROT-ND
 ipv6 snooping attach-policy PROTECT-ipv6-snooping


ip device tracking
ipv6 icmp error-interval 80
ipv6 nd raguard policy HOSTONLY-RA
 match ra prefix-list deny-v6
!
ipv6 nd inspection policy PROT-ND
 validate source-mac
 sec-level minimum 1
 limit address-count 1
 drop-unsecure
!
ipv6 nd inspection policy Trust
 trusted-port
!
ipv6 snooping policy PROTECT-ipv6-snooping
 limit address-count 1
 tracking enable
!
ipv6 snooping policy Trust
 trusted-port
!


The above  will protect  Layer2 access-ports from rouge and spoof'd attacks but this might not be available on a low-end switch or non-Cisco hardware ( i.e dlink, hp, trendnet,etc.....)

Keep these thoughts in mind, that route-advertisements are crucial in a ipv6 network and exposes a high degree of risk if tampered with.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Sunday, July 26, 2015

FortiOS 5.2.4 problems

I had to downgrade back to build 670  due to weirdness with v5.2.4. My perfectly working  lab FWF60D start show heavy  disconnects. I also found numerous log messages  under Event> Systems  & at 2-5 mins  intervals similar to the below.


Looking at the alert it pertains to ipv6 RA-Advertisements, which is going to make me look more into the reason why. For my issues ; "  I couldn't even ping locally or remotely & in some cases I could not  access the  fortigate via SSH or HTTPS".

Another issues that was also precedent, the  3G modem that's my WAN uplink uses was not  being found. This was true even you execute a diag sys modem reset or unplugged and re-plugged the huawei 3G modem.

note: you can use the hidden fnsysctl command to  query the  proc usb  devices to validate


Next, I found out that unit had executed a reboot due to  my low  uptime  times. So something was crashing the unit, but I had no ideal as to what due to no syslog or other off-unit logging.


Typically, I almost never downgrade but in this case " I have no other choice ". The continual logs messages such as these and the poor performance on my-lab in home fortigate,  requires me to drop back to last known good  build v5.2.3 aka b670. 

 I will not continue on v5.2.4 until others in the community have taken some time to evaluate this build





Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Friday, July 24, 2015

Why Palo Alto is good

Palo Alto  ( PANW ) is good in that they  always tries to update a user to  any current issues and Advisories.

Take the latest  "Advisory" this happen to be sent to my  email address .





From a security sector  Fortinet ,Juniper or Cisco have anything similar in  the work with live updates and special CSB types of bulletins.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

 

Thursday, July 23, 2015

NXOS and unsupported transceivers

In this post we will look at a copper SFP-T transceiver ( non cisco ) and enabling it for use on a NX3548 series switch.

Like with most other cisco devices, you can use  non-cisco compliant  SFP transceivers under the Nexus OS. Cisco frowns on this, but have made exceptions for the use of these devices within various cisco hardware. Here's the copper transceiver that was enabled for the nexus 1U switch.

http://www.avagotech.com/products/fiber-optics/optical-transceivers/sfp/

Now when you install this as-is, the switch will complain with the following log message. But you can use the service unsuported-transceiver command in the global context for allowing this unsupported transceiver.



By doing this cisco will execute the warning message and allow the transceiver. It will never show up in the  inventory output but will be operative.




So you have the option for using  various transceivers , but be very careful on what you  install in a SFP slot YMMV.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

FortiOS v5.2.4 is out

Nothing is posted for the openlink with release information but  v5.2.4 is out.





http://docs.fortinet.com/fortigate/release-information

Here's what we can find in  the FortiOS v5.2.4,  nothing really new but numerous bug fixes. Either way it's nice to see FTNT moving so quick with this release.



NOTE: for any upgrade you should backup the config and have a fallback if you need to revert back to the older software.




Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Tuesday, July 21, 2015

6500 slot utilization tips ( show commands )

In this post we will look at  how to determine slot utilization %s. A cisco 6500 is a 40gbps per slot chassis depending on  numerous factors;

  >  cardtype
  >  chassis type
  > switch fabric
  > supervisor type
  > number of fabric channels supported per linecard

One simple means for gathering slot util% is to issue the show plat hardware capacity fabric

To validate the forwarding statistics you can use the following command ; show platform hardware  capacity forwarding

Even better yet we can use  the following ; show fabric utilization
You most likely need to know what card is in the slot and the channels available

show module x 
show fabric status x


Understanding the  supervisor type is always helpful. So wen reviewing potential bottlenecks, you have a host of commands for execution that can provide details to  per-slot performance numbers.





Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \





Monday, July 20, 2015

MACOSX MTU adjustment

Here's a quick howto adjust the interface MTU under MACOSX. Why you would adjust the interface depends on a alot of  reasons here's a few;


1> tunnel ( IPSEC/GRE/4in6/6in4/VXLAN/802.1q/QinQ/etc..)
2> other vpn methods like OpenVPN or SSLVPN
3> PPPoE over head
4> PMTUd failures 
5> reducing ip fragmentation
6> NIC tcp offload issues


1st, you want to gather the interface MTU size but this requires you to get a list of the network interfaces

Here, we will adjust the WiFi adapater;



As you can see, the interface is the set defacto 1500bytes. We will adjust the interface by using the setMTU command with a new value.


NOTE: beadvise the OS will prompt you for the admin user account similar to the below



And that's how easy it is for changing a mtu setting. Most  network interface allows you  to decrease the MTU size from the 1500bytes defacto setting, but rarely it will allow you to increase the interface MTU size.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Fortigate and SLACC

Somebody ask me to look into if a fortigate has any issues with  autconf and ipv6. So i did  a quick test on a FGT60D and 5.2.3.



What I found was very interesting &  if you have multiple advertised prefixes. Most devices like windows or macosx will install multiple prefixes for a interface,  but there's a hardlimit of 12 or so prefixes and the same applies on the  fortigate.

1st here's my  interface configuration;


Now here's the  ipv6 configuration for sending our prefixes;

config system interface
    edit "internal2"
        set vdom "custB"
        set ip 10.200.10.1 255.255.255.0
        set allowaccess ping https ssh
        set vlanforward enable
        set type physical
        set alias "internal2-interface"
        set snmp-index 9
            config ipv6
                set ip6-allowaccess ping https ssh
                set ip6-address 2001:db8:2::/64
                set ip6-send-adv enable
                set ip6-manage-flag enable
                set ip6-other-flag enable
                    config ip6-prefix-list
                        edit 2001:db8:2::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:288::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:289::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:290::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:291::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:292::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:293::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:294::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:295::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:296::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:297::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:298::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:299::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:190::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:191::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:192::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:193::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:194::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:195::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:196::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:197::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:198::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:199::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:130::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:131::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:132::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:133::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:134::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:135::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:136::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:137::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                        edit 2001:db8:138::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                    end
            end
    next
end


And here's what our  autoconf   enabled interface shows;

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Forticlient URL filter and BETA

I'm doing some test on Forticlient for URL filters and happen tp notice the BETA marking on the blocked websites with the new dialog box

e.g



So I see a pending change coming in the future and with URL webfiltering.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Thursday, July 16, 2015

Update cisco tac mobile app

If  you followed my cisco tac app posted a few weeks back ; http://socpuppet.blogspot.com/2015/05/cisco-tac-android-app.html .Will it has came to my attention that cisco support has the support for mobile apps running on Windows & MacOS systems by using  bluestacks.

By using the app player from bluestacks ,  ( http://www.bluestacks.com/  ) you have the option to run the movile app on a desktop system.

 reference: https://en.wikipedia.org/wiki/BlueStacks

This opens up into many other areas, where you can play any mobile apps on a host system for testing, debugging or preview purposes.  Virtualization is not a new concept , but becoming more and more common in our every day operations.

To find out more about cisco mobile apps, please check out the below link.
http://www.cisco.com/web/about/facts_info/apps/technicalsupport.html


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Tuesday, July 14, 2015

finding files using a date range and find

In this blog, I will show you how to find files in a certain date range. This gives you a little bit more flexibility vrs using atime mtime or ctime under macosx.

1st we craft the start date filename;

( the below will start  at 2013-07-01 with  the file named start )

 touch -t 201307010000 start

Next, we craft the finish date filename;

( the below will start  at 2013-12-31 with  the file named  finished)

 touch -t 201312310000 finish


Now, we just use find specifying the 2 files which surrounds are date/times range

( execution of a unix find )

find . -type f -newer  start -and -not -newer finish

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Monday, July 13, 2015

5.2.3 diskcheck warnings

FortiOS has a function if your firewall was powered off unexpectly that it will warn you and give you the opportunity to execute a  disk filesystem check.

 ( warning after login  via WebUI )






( checking and the reboot message )





Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Friday, July 10, 2015

A few openswan cmds you should get use to

In this post, we will look at some useful commands using the ispectool under openswan.

This  command is great for identification of ipsec support within linux.

ipsec verify

The next command barf is used  for dumping the configurations into a text file for  analysis. This a ipsec debugging dump


ipsec barf 


Next up we can use the look option to determine iptables status  & chains used.

ipsec look



The last command is for  ipsec auto status and simple to remember. It great for determining the ciphers supported and other various status for connections. It requires  sudo or root permission for execution.


ipsec auto --status



These are commonly used commands in the swan lineup that should be used for trouble shooting. Other useful tools are tcpdump/tshark for packet capturing of IKE and ESP data and for analyze of ph1/ph2 SPIs



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \