Tuesday, September 26, 2017

DTLS forticlient fortios v5.4.

In this blog I will show you how to enable  DTLS for FortiClient. In this example we have  the following

FORTIGATE = 900D
FortiOS = v5.4.5
FortiClient  = v5.6.0
OS =  windows10


1st, 

DTLS is only support in  the windows FortiClient versions ( sorry.... no support for macosx !)

2nd, 

you need 5.4.x code or higher to enable   DTLS on the fortigate

3rd,

you must enable the DTLS preferred in the client xml  ( download the cfg and edit the highlight light to a value of 1 }



4th

Ensure you have access to udp port. In  this example I'm using my  macosx host to check that udp.port 443 is available &  via gnutls-cli ( use the -u switch for udp )






The mode of operation is very  simple,

The FortiClient talks tcp over the designated port and then switched to  udp if the client prefers udp. 

Keep in mind that going thru a http-forward-proxy might break the renegotiation to udp , but if the DTLS setup fails,  the  Client will fallback to just  tcp.port 443

Here's a dump of  traffic showing a windows std and 1200 byte pings





Here's snippet of a wndows10 forticlient exported logs.





One cool thing you can do. You can run a diagnostic session  from the cli and see the client > Be advise the  SSLVPN session is terminate to a "pseudo firewall policy# "





     valid firewall policies numbers are 1 thru 4294967294



This is where the ciscoASA has a advantage, the  cisco ASA has support DTLS for over  5+  years with webvpn.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

Saturday, September 9, 2017

Determining OSPF.interface mtu byte sizes via a packet capture

When using OSPF, the need can arise to validate the OSPF-interface-value amongst   OSPF neighbors.

If md5 authentication is not deploy the OPSF database descriptor will carry the  OSPF_interface_MTU value in the clear. A tool like  tshark/wireshark will easily display that value.


e.g



In a proper OSPF topology all interfaces attached to the LAN would use the same value. By dumping the  OSPF packets you can easily find the  Interface MTU value and ospf neighbors that are not configured correctly.






By using  a packet.capture you can easily  gather statistics without login into numerous routes or devices  for gathering ospf show  collections



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, September 1, 2017

securing mysql with SSL/TLS

With databases and application  servers, we find  that most org do NOT  deploy SSL/TLS encryption. This post will demo  how easy it's to  set a  mysql server up for   SSL/TLS. Most  DBAs I've  meet thinks;


  •  its hard to setup and configure
  •  are just plain lazy
  •  feels it's offer zero-security benefits
  •  or a combination of ALL thee above :)




You will need the following for the server;

CA-cert
Server-cert
Server-key

You will need the following for the client(s);

CA-cert
Client-cert
Cient-key


1st here's my simplified  my.cnf cfg  ( this is very basic lean down conf )


[mysqld] 
bind-address = *
ssl-ca=/etc/ssl/ca.pem
ssl-cert=/etc/ssl/server-cert.pem
ssl-key=/etc/ssl/server-key.pem


Now to check for SSL support you need to  show global variables and match on SSL. If your  successful upon a restart the  DISABLE will be ENABLE and SSL support will be included in the mysql server services








Now we can test for basic  access with the root account and by specifying  SSL;






To lock this down for just a  database user account, you will grant  ( them  )  permission and set  required SSL for that user(s).








And now compare a SSL and non_SSL  access 



If a user that's required  SSL tries without  SSL certificates ( he/she ) will  get a reject message similar to  the below;





Yes it's really that simple. 


In a real professional environment, you will craft unique client-certificates  & 1 per  users  and ensure that the user has secured and protected his  key via a passphrase. 

If you  want to revoke his access revoke the cert and  remove his access.


  For  the   mysql services ensure the mysql  user that runs the daemon can read the server-private-keyfile .... I seen this  issue being the #1 problem when setting up  mysql w/SSL-TLS. chown and chmod the permission  for the priv-key   and  just for the mysql-services account



Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \