Oracle cloud has a few NGFW offereing.  Here's a few of the NGFW firewalls available in Oracle Cloud

Fortinet  has pretty much  throw a lot of security items into the Oracle Cloud

NASDAQ: FTNT
Not bad ;)

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

ID'ing the rootCA certificate

Working within the  TLS decryption we need to  identify the subCA  vrs rootCA. here's  digcert and the output from  subCA ( aka intermediate ) vrs the rootCA.

The tell-tale sign  for a rootCA certficate is that it is "Self Signed". What this means the issuer and subject line will always match.

So based on the screenshot the bottom certificate is a rootCA

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

How to build GEO country block lists

Firewall , SLB  and other  security devices typically have a GEO database that allows for quick allow|block against a country. Most other systems does not, but you can build simple scripts to  feed geoip information for  firewall services.

In this example, we will use   iptables and firewalld


If your using a system that does not  have a integral  geoip database you can call out denyip and  by using the 2 letter  iso country code you can build lists with ease.

http://www.ipdeny.com/


So using the following format, we can quickly  pull the data for a country   and feed this into our script or tool to use for a simple drop or accept. Here we are using iptables and iso county  gq and io


http://ipdeny.com/ipblocks/data/aggregated/io-aggregated.zone
http://ipdeny.com/ipblocks/data/aggregated/GQ-aggregated.zone

And a example with firewalld

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Forcepoint SMC v6.6

The forcepoint the  NGFW and SMC has version 6.6.0 available. You can follow forcepoint at the following link  https://www.forcepoint.com/blog


We have started some testing on the SMC appliance and with the new  SMC v6.6

The API interface is available for  Administration of the SMC

It's also best to ensure that the updates are up to date.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Site Down Checker using curl

Working in a support center we needed a simple site checker script that could be used to check for a site not being available. In this example, I'm using my favorite tool "cUrl"  The script can be modified to inspect what ever status.code that you are looking for. This  kinda of what a F5 LTM health monitor does btw

#!/bin/bash
#
#
D=`curl -k -o /dev/null -s  -w "response_code: %{http_code}\n"  https://platform.ringcentral.com/restapi/ | awk ' { print$2}'`


#echo $S

T=200


if [ $T =  $D ] ; then

    echo "Site is reachable"

else

    echo "Site is down"

fi

You should beable to add to this and even set expect response time if your making functional changes based on extended times.

example we are looking for status code 200 and  response time of  200ms or less could set the  time 

e.g

F=curl -k -o /dev/null -s  -w "response_code: %{time_total}\n"  https://platform.ringcentral.com/restapi/  | awk ' { print $2} ' | cut -d "." 

And do a comparison against the variable  to see if the value is less than 200ms

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

using curl to get page load times

You can  use  various defined  variable in  curl to get page load times


H:\Desktop>curl -L --silent --show-error --write-out "lookup:        %{time_namelookup}\ntcp_established: %{time_connect}\nconnect:       %{time_connect}\nappconnect:    %{time_appconnect}\npretransfer:   %{time_pretransfer}\nredirect:      %{time_redirect}\nstarttransfer: %{time_starttransfer}\ntotal:         %{time_total}\n" -I  https://www.example.com


example output

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

AES vrs DES overhead

AES and DES are two known symmetric crypto ciphers. 

All variant  of  AES  are  built on 128bit blocks or 16bits. So any information encrypted will be padded out to this value. This can not be eliminated.

 by using unix   dd and openssl we can  witness this behavior in a simple demo 

I've crafted  4 files each named simply as "   1byte 2byte2 15byte and 16byte " 

e.g 

   dd if=/dev/random of=./1byte bs=1 count=1 

   dd if=/dev/random of=./2byte bs=2 count=1    

   dd if=/dev/random of=./15byte bs=15 count=1 

   dd if=/dev/random of=./16byte bs=16 count=1 

We also  used openssl with aes and then des for encryption and finally 2 other  cbc ciphers

e.g 

  openssl  des-cbc -in 1byte -out 1byte.des

  openssl  aes-128-cbc -in 2byte -out 2byte.aes

Take notice of the  resulting files

And to  even confused you even more some standards use a smaller block size. Take the same 1 2 15 16 byte files and now we encrypted them with CAST and IDEAL. These are 64bit blocksizes

So remember that the over head with any encryption will have some  type of overhead for the padding

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \