Tuesday, May 15, 2018

RBL tracker services

The RBL tracker is a system used by major email  senders that can report on  blacklisting of any of your  public address.

They offer  bulk discounts but you need high amount of address to see any benefits. They also allow a API post callback so if you want  alerts via  api post.

Here's a few  screenshots of the service with the  cost-calculators using an extreme  1hour vrs 48 hour check intervals















NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Posted by at No comments:

Monday, May 14, 2018

How to get a A+ for your HTTPS websites from SSLLAB

We've explored the DNS CAA records for certificate  in  a past blog post

reference:


http://socpuppet.blogspot.com/2016/04/dns-caa-records-for-certifications.html

But another sure way to increase your SSLLAB score is to enable HPKP ( http public key pining ). This process is simple to  create and if you can inject the  HTTP-header "Public-Key-Pins:" and the pin, you can increase the  comfort level within the browser.

Here's   typical A+ score as seen on SSLAB for a website i just recently built


I'm going to focus on HPKP pinning.

1st to find your  https-site public-key is quite simple.


e.g


openssl s_client -connect www.example.com:443 | openssl x509 -noout -pubkey   > yoursitepub.key


The above example will create a file with the following  context





Alternative,  you can use the quick hpkp  calculator ;)

https://hpkpcalc.github.io/calculator.html



Tools that's helpful

https://report-uri.io/home/pkp_analyse
https://securityheaders.io/
https://crt.sh

  


In a F5, you can  apply a public key pin  with in a LTMPOLICY

http://socpuppet.blogspot.com/2017/10/building-http-pkp-header-for-insert.html


Now keep in mind Google has  redacted the HPKP  in a recent announcement and they  refer to the Expect-CT header.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

 

YMMV








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
Posted by at No comments:

forcepoint NGFW log forwarding

Log forwarding from the  forcepoint   LogServer or  MgtServer is simple and supports a few options.



With regards to filter, this is the same approach in  PANOS where you can define  filter  requires for sending specific flow to the remote collector. In my 1st case ATL_SERVER has a filter type defined


Now for the bad, the LogServer is a centralize device, so from a concept with regards to logging the logs are generate at the NGFW engines  and carried back to the log server. 

The log server now regenerates logs to be dump as netflow or syslog for example. This can cause  some concerns if you have  numerous  NGFW engines dispatch globally and the logServer is not local to the NGFW engine.


Since if connectivity is lost, the flow could be delayed until path recovery has taken place.






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
Posted by at No comments:

Howto find various device certifications for Security Devices


Here's a   few simple links for  devices  certifications. If your ever curious on what certifications that a device has been submitted under.


Remember to review the lists in F5 case you can contact  sales for more details

 https://f5.com/about-us/certifications







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
Posted by at No comments:

Friday, May 11, 2018

How to check client Certificate TLS using curl

Some times  FireFox or Safari has issues  with OSes certificate store. Curl can be used for validation  and is quite easy.

  1. You will need the CAroot in your ca-ssl trust list
  2. The client  side certificate
  3. You need to know the client side  Key and Pass-Phrase if enabled



Here's a few chrome base  browsers

 




Now here's curl testing  and calling up the  user certificate. 



curl --cert <certificateinp.pfx> -k  https://www.example.com











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
Posted by at No comments:

Tuesday, May 8, 2018

Why the FortiGate is a better Virtual Appliance for public cloud

The fortigate VMs has been around for some times. One area that has grown is the  virtual cloud public space. offering Others vendors are  still figuring out the what/where/hows to target this area.

Fortigate images are available in the following PublicClouds

Azure/AWS/Oracle/GoogleCloudCompute/Alibaba


Other vendors (CHKP/ PANW/CSCO/ForcePoint/etc....) still does not have the same coverage.

Keep the following in mind when selecting a  Fortigate as virtual-FW for the publicsector.

Total amount of virtCore , VirtMemory, and you don't have a  means  for allocating  CPUs for data/management that PaloAlto has.  HA design is  not normal and requires  deep thought and planning

A finally,  the total  number of  available FortiOS versions could be limiting.


The public-cloud sector will always grow,  and I'm sure FTNT will  grow with them. The number of  available images in the marketplace will continual to be strength and widen to meet the public space.






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
Posted by at No comments:

AV with https inspection fortiOS

In this blog, I will show you how simple it is to  enable AntiVirus ( AV )  with  TLS inspection. In this  case we will use the EICAR test files and  see the block action when my machine tries to download the testAV-file.


The 1st thing you need is a firewall policy with ssl-ssh inspection profiles. This needs to be applied to the firewall.policy.


This  policy #8  has  a AV-profile and  using the default AV profile that comes in every NGFW FTNT appliance.





NOTE: The ssl-ssh profile "NEWSSH" was crafted for  my HTTPS deep-inspecton.

Now with these 2 combinations, we have AV inspection and SSH/TLS inspection. The fortigate will intercept the webcliet-browser and  inject the  issuer string as the fortigate for the CA-Chain & on the back inspect the HTTP traffic.









And a typical AntiVirus UTM log will be generated


Yes it's that simple to enable AV protection for webbrowsers. For regular HTTP ( non secure ) the principle ideal exist without the need for a SSH/TLS-inspection profile and the service enabled for HTTP.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



Posted by at No comments:
Subscribe to: Posts (Atom)