Sunday, January 28, 2018

Fortianalyzer License issues

I worked on moving a previous licensed  Fortinet FAZ-VM and ran into a simple but weird issue.

The license is tied to the device management address. So if you re-address the unit, the license check will fail.



You will not be able to  configured anything if the license is not  valid btw.




So how I got around this, I tried at first to see if I could apply a secondary address by using the old address. This was not possible.

So next , I  attempted to define  a loopback-interface by using the old_address, & again not possible.

So I ended up  reapplying  the old_address on one of the other 3 unused ports. This and reboot, cause a  re-activation of the license and  unit was again operational.



So knowing this, I wonder how strong is  the license enforcement on a FAZ-VM image.




Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Saturday, January 27, 2018

JuniperSRX and IPv6 local-services

The Juniper SRX has been superior  with it's offering for ipv6 in a firewall appliance.

Other firewall  vendors has been lacking in this area , & with functions supporting  syslog , ntp, radius, tacacs, etc  and it's support of IPv6. These local services for the most part has been ignored in regards to IPv6. In this post,  I will demo  most of these services being deployed on a branch model  SRX.


1st here's the JunOS version deployed & used in these examples.




For IPv6 to work,  you need to check and possible enable  ipv6 flow mode & yes a reboot would be required after committing.



NTP configuration and a IPv6 tcpdump for  proof.




SYSLOG and  IPv6  tcpdump capture of our syslog messages.




RADIUS and IPv6

take heed to change the  authentication order  and select radius




Here's the  freeradius  cfg details  for RADIUS  the user is steve and the radius_client  NAS is 2001:DB8:199::1





NOTE ALL RADIUS ACCEPT/REJECT MESSAGES ARE SENT  UNENCRYPTED


( TCPDUMP for  various  radius messages between NAS and RADIUS-Server )





NOTE: Between the NAS client and freeradius , PAP is the default . You can change this behavior within JunOS  radius options and use chap for  more security. Ideally RADIUS+DTLS will encrypt the full transmission which offers greater security.


Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Thursday, January 25, 2018

IKEv1 DHgroup ( aggressive mode )

When deploying IKEv1 for IPSEC, it  crucial  to know the exchange for the   DHgrp needs to be defined across the proposals & the same.

In the 1st initial  contact the  IKEv1 end-point will provide his identity and dh-parameter. So if you have multiple proposals with  different DHgrp values, they will even be NOT be looked at.

IKEv1 main-mode

6  transactions (  DHexch comes at transaction 3+4 )



IKEv1 aggressive-mode

3 transactions ( DHexch happens in the 1st transaction along with the proposal )


Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Wednesday, January 24, 2018

HOWTO test for mobile friendly and load issues

Google has a  mobiletest site that pretty good at identifying pages that load for mobile devices and any errors.

https://search.google.com/test/mobile-friendly

It's simple as,  "  insert the URL and submit "

If the site loads  and it's deem mobile friendly  the output will be present .





But if it fails or has issues you will get a simple results and hints output








Depending on the speed of the website the results should be under 1min.

Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, January 18, 2018

SSL CA chain and proxies

The latest in the security world is "SSL inspection". This is a must if you have data that's encrypted. Doing SSL decryption allows you to inspect data that would  otherwise be not inspect.

Does this makes you  more secured? Is a argument that has PRO/CON that are debatable. One CON, you loose any expectation of  privacy.

So how do you know if a  SSLinspection device in  the path of you and a website?

If you know the true issuer of the  site certificate, you can explore the CA-chain in your browser. Here's google website  in my MSIE browser

The CA chain_path on the  left is  surely  indication of forge CA-PATH  vrs the right-side is the real chain.

This is from a  BlueCoat-Proxy at my day-job btw.


So when in doubt , use  a site like ssllab or similar and compare the browser reported chain to the ssllab discovered chain.









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \