Thursday, August 28, 2014

This is why the forticloud is not a viable logging solution in a big enterprises networks.

A heavy usage firewall with tons of events,  can easily exhaust the quota set by forticloud logging services.  Granted you could increase the  quota by paying  for a quota subscription.

Here's the logging error you will see on the dashboard if logging stops or is in accessible;





Here a means for looking at the number events  logged ( fds = the events logged to the cloud  mem = the events logged to memory )


note: to reset statistics  kill off the miglod process and let it restart;

Method1:


Method2:

diag sys  kill 1  <PID>   YMMV with the latter.



Next, it's easy to  fill your quota and exhaust your disk usage.


NOTE: You can always keep deleting logs to make space available, but that can get boring very quick.



Forticloud is great for SOHO and a low usage SMB firewall, but it's not intended to replace enterprise level logging systems. This is where the Cisco Meraki wins at imho.

I will post about the Meraki cloud management and logging next month. But with the cisco meraki approach you get this via an activation license that you must buy for the meraki appliance.  This includes all appliances and not just firewalls, which is what the forticloud solution only supports.

Nothing is free from cisco btw ;)



The forticloud is a good try, see, and then buy if it meets your needs. Or you can always go with the localize fortianalyzer approach.

http://www.fortinet.com/products/fortianalyzer/

key points about forticloud;
  • is not a best-fit model for all setups
  • requires internet access for logging
  • expose your logging data in somebody else hands
  • is a quota based
  • requires internet access for retrieval ( so if your down and trying to get logging info, your Shit out of luck unless you have memory logging enabled )

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

Saturday, August 23, 2014

Digital Ocean is so cool

I just wanted to say,  that the DigitalOcean hosting has a very good interface and support. The ease of management of your virtual-instance is so-so simple & quick to deploy.

https://cloud.digitalocean.com

You can setup an account in a matter of 5 mins and then be off in the digital cloud so to speak. The control panel and droplets creation features are amazing. Here's a few screenshots;










They have support for IPv6,  but not in all datacenters as of  yet. Because of  this single deficiency, I'm stuck with leaving  a few of my   virtual-host-machines  on my current VPS  provider arpnet.

NOTE: digitalocean  has community forum that's available for user knowledge
https://www.digitalocean.com/community/

More information can be found here;
http://en.wikipedia.org/wiki/DigitalOcean


Referral link here;

www.digitalocean.com/?refcode=cb7ab73540c5


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

Friday, August 22, 2014

A cool openssl tip for file hash checking

How many times have  you seen download files hash check files on a website ?

How many times have  you seen a sha1 or rmd160 hash ?

and you didn't have a native unix tool for comparing the values?

Did you know that openssl  has the means for displaying common and not so common hash types?

Okay here's me check a md5, and sha1 hash of a tarball file;



and one of other favorite rmd160 of  the same tarball ;


So if you don't have a md5 , sha1 or rmd160 program but have openssl installed, you can use openssl for hash comparisons.

note: MACOSX 10.9.X does not have a  sha1 or rmd160 hash binary available natively , but openssl is pre-installed

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \



Dumping a process on IOS-XR

In this post,  we will look at how to dump a process that's running under  IOS-XR. The  tasks and steps are quite simple btw.  The dump proc is a off shoot of the QNX/Unix  "dumper" command.

The very 1st step is to find the process you would like to dump.

The show process | incl < process name or pid is one of many ways. In this example we will dump the sshd  daemon that running for remote management access.

Next we need to find the location that our dumpfile to be stored at. The  show exception  cmd will display our possible collection areas.


1:  the dump file is compress with unix compress
2:  you can uncompress with gzip
3:  due to the dumpsize could be  large

Now to dump our sshd proce, we execute the dump command.


The log will show the dump and the path to  the dump.


Key points;
  • compression is used for space saving
  • compress can be disable  by configuration in config mode  ( exception compress  off )
  • if you dump a process you can perform this operation without interruption
  • proc dumps helps cisco-tac with trouble-shooting specific process issues
NOTE: an alternative method for dumping a process is to perform this via the admin-mode  and by using the process command & crashing the process. This is the same as a unix Kill with the appropiate signals for dumping.




Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

Thre ways to find the running-config size in cisco IOS

Here's a few means for finding the actual cisco IOS running-config size.




1st

The show running-config command always shows the  size of the cfg in bytes at the top of the file
The same holds true with write term

2nd

By copying the cfg to  the null device, it will display the  size also

And last

The  running config is typical store in the " system:  Directory " which contains a lot of other goodies btw.

 note: you will enable  priv 15 level for any of the above to execute



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \



Wednesday, August 20, 2014

ipv6 support microsoft

Microsoft has been busy with adding ipv6 support  and here a listing of applications and services.

Take heed azure is still lacking ipv6,  and Skype wasn't even listed.

http://technet.microsoft.com/en-us/network/hh994905.aspx
http://technet.microsoft.com/en-us/network/bb530961.aspx


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

ASA 9.3.1 upgrade are under way.

I 've started to push  cisco asa9.3.1 software out across a few ASA5558-X & so far it looks good.



Version



And this welcoming message on the standby

The main feature that's of a big improvement in my environment is the support for  NSF with regards to ospf. Now the  cisco ASA has support for NSF  via the command nsf cisco under the router config section. You can validate if NSF is enable via the show ospf nsf  command.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

Tuesday, August 19, 2014

Encrypted DMG images standard vrs sparse

Apple MACOSX has the means for generating a encrypted  DMG images.  But did you know you have 2 types? Yes the dmg image has the standard and sparse modes.

The difference between the two;  " sparse mode does not pre-built or consume disk space" . As it's used , the disk file space would be consumed.

1st let's used the apple disk-utility to build these to images types for comparison.

( building a std dmg image w/AES128 )





( building a sparse dmg image w/AES128 )


Okay now let's compare the  diskimage final sizes for the regular and sparse 100MB.


 and;


So the advantages with sparse, we still have an encrypted volume but the size is not pre-allocated. Great if you need to encrypted data and then send it to another user.

Opt out of saving the passphrases to your key-chain. If anybody compromised your machine, than will be able to automatically  mount your encrypted volume if the pass phrase is attached to your key-chain.  Password management is great and convenient but weakens security imho.



 As the diskimage is used ( dmg sparse image ) the diskspace will be consumed. Disk space will continuous be consumes as you fill  the volume out & up to the defined sizes that you set during the disk-utility operations.




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

Monday, August 18, 2014

ASA software upgrades to 9.2.2.4 and 9.3

I'm upgrading a few ASA to  9.2.2.4 &  later in the week 9.3 code for the ASA5558s


failover status;





And now;


But as usual, cisco has places limitations with EEM  and it's not supported in a multi-context  mode


sad



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

Thursday, August 14, 2014

gTLD becomes more commercialized

If you haven't been keep up with the new gTLD domains here's a list of some of the new ones;

http://newgtlds.icann.org/en/program-status/delegated-strings



These new domains allow for more commercialization and add fire to the already heavy used com edu mil org net gTLDs. One of the the new gTLD that strike me was YANDEX. Yes you can have a

domain.YANDEX as a domain.

Why this will become a problem now or later;

1: email  security is not expose to multiple of more forged email domains

2: email filters might need to be improved on

3: web security filters and proxies might have a problem with increased characters right of the last dot

4: previous un-registered 1st levels can cause confusion in orgs that decided a long time back to use t hese in there naming schema.( corp, inc, etc.....)
 

On the plus side, the commercial impact can now be increased by the hundreds to thousands of dollars. Take my birth state and the following  gTLD "cooking".


note: 8,500 usd for a domain,  and with one-year  registration is ridiculously high imho

Keep in mind, that not all domain-names are available within the new gTLDs.

e.g

The bottom line, these new domains are about making money. Per internic each registar can charge what they want. http://www.internic.net/faqs/domain-names.html



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

usbflash on cisco 2960S switches

On a whim I decided to see if the stack able cisco 2960S supports the usbflash. Will it works in the same fashion as a ISR  router.

( output from show version with model and IOS version )



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

Coming soon Next Generation Firewall Reseller

Socpuppets is happy to say, in the near future Y2015,  I will launch my new business.

http://www.nextgenfw.com/

We offer the following services;
  •     security consulting
  •     mobile security forensic
  •     consulting
  •     cloud security monitoring 
  •     cloud reselling services 
  •     firewall hardware reseller

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

Wednesday, August 13, 2014

Converting a new fortigate from a switch port mode to interfaces

Most of  the lower-end  fortigates  models  have an internal switch. This is a group of ports acting like a Layer2 switch. Some times the need arise for more additional unique ports. So for example, a  Fortigate 60D has 7 ports in a switchport grouping. If we wanted to make this as a 7x interface-mode-ports,  we  wlll need to execute a few commands for changing the switch to useable port interfaces.

I will demo this using a FGT110C model.

1st you will set the system global configuration ;

( set internal-switch-mode interface )
2nd, if you have a new firewall or even a existing one, you will need to remove all references to the "switch". This means;
  •    firewall policy
  •    vpn configs
  •    dhcp-server
  •    ip address
  •    etc.......

Here we only have a single firewall policy, so we will purge it.

 NOTE:  the purge is like a delete all,  great when you have hundreds of policies use it with caution 



3rd

You will  need to reboot when making this type of change ( switch to interface-ports )


After the completion, you will have either new interfaces named port or internal  1,2,3,etc  depending on the model of firewall

e.g ( FGT110C  4.0 MR3p18 )




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com


   ^      ^
=(  $  $ )=
       o 
      /  \