Wednesday, January 20, 2016

Fortitoken app and MACOSX 10.11.1

Very sad, I tried to installed fortitoken on my  updated macosx machine and found  the  dmg file installer fails. It does prompt you with a warning




What's going on here?  The software fob works great from  the security store tho.










Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Tuesday, January 12, 2016

pfSense has competition from OpenSense

OpenSense is a direct fork from pfSense and encompass a few of the same features and much more.

https://opnsense.org/



Nobody should be surprise this fork has came out,  and it 's nice to see the next level of  opensource networking and hopefully a big following.

I will be checking ipv6 function over  the next few weeks, and hope to report back with some positive things

https://opnsense.org/blog/




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Should we be loosing faith in Fortinet

The latest news is really sad,  and a big disappointment from Fortinet. A backdoor access has been noted and a simple  python script has been published that shows howto exploit the access

Here's a snapshot from the  FTNT blog

http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios



So if a security company can't get it right,  that makes one wonder what else they are doing that we don't know about.

To mitigate this, we need to disable allowaccess for ssh or upgrade. If you must run ssh then use a non-Standard port  or deploy a 2  tier access by deploying a sslvpn access 1st and then  ssh allow on the ssl interface.


http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


PCNSE backpack

One benefit of  getting the Palo Alto PCNSE  is the fact they give you a nice backpack.





The  order status is simple and only need you  certificate ID and you follow a few steps for shipping address.

I found this  label in  the bag that I thought was funny "CheckMate"  ( cough ....Checkpoint )"




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Friday, January 8, 2016

unsupport transceiver NXOS

In this post I will demo the "Time" generic  twinax trasnceiver connection and under NXOS. These trasnceiver assemblies supports 1/10 GIGE and are much cheaper than cisco labeled.

These are  passive and supports upto 5m of distance. Here's a few show command outputs;





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, January 7, 2016

max value fortiOS print tablesize

FortiOS has the ability to set limits per vdom,  but it's also nice to know the  maximum values that can be set globally or per-vdom.

The cli cmd  print tablesize can provide detail information based on the FortiOS version and model.

A simple output like;


system.vdom: 0 0 10




The 1st colum is per instance 2nd column per vdom 3rd colum  globally. So in the above example the system total vdom counts globally is set at 10.  The 1st two column are not useful.

You can also use the  kb @fortinet to find the maximum value metrics. When you exceed a max value, you will get a simple command failure.

e.g  ( cli for snmp user a max value of 32 )



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

FortiOS diag debug flow filters

Here's some very strange behavior with the diag debug flow. I was playing around look at  incorrect network numbers and want to see if I could try some  weird addr filters with the diag debug flow

Check this out;


You can't specify a loopback   net127 but you can specify a improper  ipv4 address and a broadcast address.





So how about ipv6? Will let's find out.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Wednesday, January 6, 2016

a prime, on prime using openssl

Have you ever wanted a simple means to determine if a number is a prime number and not a composite?

openssl prime  option allows you to validate if  a number is a prime.

 by using openssl in this example, we check prime numbers from the range of  100000 to  1000000


e.g #1



e.g #2



e.g #3




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \



Monday, January 4, 2016

Using GNU TLS binary for debugging SSL/TLS

Have you ever wonder about  SSl/TLS connections details and need a simple binary for this purpose? openssl is a great tool for various conversions and CSR/priv-KEY generation, but GNuTLS is the master as workshop tool


Here's a simple execution with no verbose;


How about if you ever wonder if the certificate is a wildcard or SANs certificate;



Here's nsa.com and nsa.gov look at which one deploys DH-key exchanges;


 note: use the "-insecure" for non-valid certificates


How about inspecting the CA chain depth, the number are detailed along with the certificates in the chain starting from the end to top CA. Here SSl.com has a chain 4 links deep.




The -print-cert option provides details in the x509 format an DH info. Here's my virtual pfSense instance.



The GNuTLS cli binary is great if you work with server certificate and need to validate server SSL/TLS  connections and profiles like when work with  SLB ( A10, F5, Kemp,ServerIron, LVS ) or webservers ( MS, Apache2, Ngnix )


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Sunday, January 3, 2016

Palo Alto universal rule-type

What 's a universal rule type? We all understand  intrazone or interzone policies but universal is really a combination type.

Examples

intrazone  rule 

  SRC_ZONE=trust1
  DST_ZONE=trust1

traffic src/dst zone is the same zone

interzone  rule 

  SRC_ZONE=trust1
  DST_ZONE=untrust1

traffic src and dst  zones are two unique zones

But with the universal rules we can now define the following zone flows


universal  rule 

  SRC_ZONE=trust1
  DST_ZONE=untrust1


  SRC_ZONE=untrust1
  DST_ZONE=trust1

or

  SRC_ZONE=trust1
  DST_ZONE=trust1

  SRC_ZONE=untrust1
  DST_ZONE=untrust1



It simplify  rules to catch both intra and interzone traffic



Yes, it's that easy!




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Saturday, January 2, 2016

howto validate a user certfiicate that's signed from a CA root or intermediate in a chain

Have you ever had a user certificate for a vpn ( ssl/ipsec/openvpn ) and wondered if the user certificate is chained to the the corresponding signing cert?

Here's a quick dirty down method for verifying certificate chaining  & by using openssl against a self signed user-certificates.

Take these certificates;



As you can see, they are okay'd  against the  CA certificate  myopenvpn.crt  but all have expired


Now here's 3 users certificates named user1 2 3 ;




btw: all of these 3 of these users have a different size key as indicated here. The keysize has no bearing on verification.

( see below )




Here's a few certificates not in the trust chain  & that fails (certificates   myuser1 and 2 )




So in my private CAinternal these keys checked out against the CAroot certificate named "MYCAPFSENSE.crt" This is a good way to validate  certificate in a certificate in a trust-chain.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, January 1, 2016

Fun with fortiOS routes and /32

FortiOS has has ability to use a /32 on a defined  LAN interface. In reality you will not gain anything by doing this. I want to show you a few issues with /32 on a interface & the issues that will come up.


Here's my system interface configuration;




note: you notice the /32 mask

Here's the route table;



No route exist. The only way to see this route is vi the get router info kernel output

One  other issue, if you try to use it in a static route entry, all routes will be flagged inactive.



btw: that interface is pingable from the execute ping standpoint


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \