Monday, January 19, 2015

Dead Gateway detect fortigate

In a multiple ISP uplink and w/static routes, you need a means to control how to "swack" ( telco lingo for switching ) to the 2nd ISP2 when the main ISP1 is down. Gateway detect is the means for this.

Take a look at this simple diagram;

So we want ISP1 to be our primary and ISP2 to be in play if ISP#1 is down. Here's one way to manipulated with static routes

config router static
   config router static
    edit 10
        set device "wan1"
        set gateway 1.1.1.1
        set priority 90
    next
    edit 11

        set device "wan1"
        set gateway 2.2.2.1
    set priority 100
    next

NOTE: Any routes other than blackhole routes on a fortigate can have the priority set. The lower value is preferred if you have 2 matching routes.

So now we can set the dead gateway detect

config router gwdetect
    edit "wan1"
        set failtime 100
        set interval 30
            set server "1.1.1.1"
        set source-ip 1.1.1.2
    next
end

NOTE:you will adjust the interval and failtime values to suit your needs and to encompass any flapping. You can be aggressive or less-aggressive in your interval and failtime

So if 1.1.1.1 ( ISP1 ) becomes unreachable ( link down, excessive packet loss, etc......) , the stand-by floating route at 2.2.2.1 with a priority of 100 will populate the fortigate router information base.

You can validate gwdetect via the follow show cmd

get router info gwdetect

wan1:
    proto ping, interval 30, failtimes 100, state up
    1.1.1.1 (1.1.1.2 ): state (up)

You can use protocols similar to juniperSRX probe or cisco IP SLA ( icmp/udp/tcp ) and you don't have to use the next-hop as the target, it could be a device 1-2-3 or more hops aways.

NOTE: please ensure you have the correct policies for traffic allowance outbound for the 2nd ISP#2 link.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

nV ASR IOS-XR vrf ( Satellite Network Virtualization (nV) System )

I was researching some unresolved VRFs interface and found this vrf that I had no clue as to why it was present until I did some deep researching.

RP/0/RSP0/CPU0:CORE01#show vrf all
Mon Jan 18 12:33:46.168 CST
VRF                  RD                  RT                         AFI   SAFI
**nVSatellite        not set
Management           not set
RP/0/RSP0/CPU0:CORE01#

If you have the following package install    { disk0:asr9k-9000v-nVx.x.x } , the above vrf will be created automatically by IOS-XR. And the following internal interface will be crafted and bound to that VRF.

show vrf **nVSatellite det
Mon Jan 18 12:34:00.498 CST

VRF **nVSatellite; RD not set; VPN ID not set
VRF mode: Regular
Description not set
Interfaces:
    nV-Loopback0
Address family IPV4 Unicast
    No import VPN route-target communities
    No export VPN route-target communities
    No import route policy
    No export route policy
Address family IPV6 Unicast
    No import VPN route-target communities
    No export VPN route-target communities
    No import route policy
    No export route policy

You can find more information at the following Satellite NetworkVirtualizationSystem at the following link;

http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-2/nV/configuration/guide/b_nv_cg52xcrs/b_nv_cg52xcrs_chapter_00.html#concept_83ED4DF362ED48CD9A938AC20BC2E7D4

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

pfSense configuration management

Here we will look at a few config management tips. 1st off the pfSense firewall allows for you to make backups that are Encrypted or none-Encrypted. This really helps if you want to share or redeploy the configuration xml file between units.

WebGui diagnostic >backup/restore

The file is encrypted using a user provided password. Here's an output of encrypted file;

NOTE: the file extension is stills a "xml", but the data between BEGIN config.xml and END config.xml is now encrypted.

The pfSense also has the ability to preform configuration diffs from the WebGUI. Most modern firewalls don't even offer this capability outside of JuniperSRX and PaloAlto-NETWORKS PAs
( show conf | compare rollback or show config diff respectively )

( sample diff screen )

So you have a few tricks for cfg management and storage and diff.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

A NX-OS logging default vrf tip

If your having problems with the SYSLOG logging, you need to be made aware that the interface used is always the "management vrf" be default .

Just by configuring the "source" interface for SYSLOG with in the NX-OS configuration, will NOT cause the SYSLOG to work using that interface that's defined if it's not part of the management vrf.

My local interface for logging as defined in the logging configuration;

logging source-interface Vlan200

Where is clearly not defined in any vrf so it's in the "default" vrf table.

interface Vlan200
no shutdown
mtu 1500
ip address 10.10.130.202/23

So if you look closely in my logging configuration screenshot you will see the issue on how you correct this;

Notice you have to get the logging server defined to use "default" vrs "management"

And now a simple tshark dump using syslog for the display filter , will shows my log messages are actually be sent and received;

Just a quick tip if your ever wondering why your syslog does not work. You can also validate using the following show command "show logging server"

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

Friday, January 16, 2015

A follow up on MACOSX HFS and case sensitive

I did a test with a diskimage that was set for case sensitive and here's some screenshots. Why the default disk is case insensitive is strange and I never really knew this until my shell script testing issue.

This could generate problems if you had a tarball with files with the same name but different lettercase extracted into the same directory.

And to show possible file extraction issues ( tarball ) & if you had files in a tar/rar with similar names but different cases.

1st I took the files from the case-sensitive volume and created a tarball, we copy the tarball to a case-insensitive volume which has a directory named "jim". Watch the outcome when I extract the files from the tarball.

The extracted tarball trump my existing directory and the other four files where not included. Just be aware of this.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

juniper finally release some code 12.1X46-D30

New code came out from Juniper SRX series 12.1x46 tree.

So I will be busy in the upcoming weeks for preparing SRX firewalls to under go software upgrades & only after we go thru lab testing and qualifications.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

Wednesday, January 14, 2015

Strange MACOSX behavior ? Really not so !

I was working on unix shell script for finding and parsing files using the "unix find" and ran across something on my MACOSX host that I wanted to share & remind you of.

Check this out , 1st up a typical LINUX DEBIAN HOST

Okay that's simple; " we touch 5 files name jim with different character case."

Using the unix find and "-iname" ( ignore case name ) and we found the 5 files. Okay this is good and correct behavior what I was expecting to find ( once again excuse the pun )

Okay next up , a MACOSX 10.10.1 aka Yosemite b14B25

So I'm like scratching my head as to why I can't touch 5 files name Jim & with various character letter case. Okay maybe this is a BSD thing since MACOSX is grown from the BSD family.

So let's see if a OpenBSD hosts has the same issue ( btw OpenBSD is my favorite OS just to let you know )

( openbsd )

(freebsd)

So what I learned today; " is macosx is really screwed up and when testing scripts, it best to test them on the actual host you planning to run these on ". I collaborate with some other mac users to see if they can shed some light on this and why and we came up with this.

http://apple.stackexchange.com/questions/8016/hfs-case-sensitive-or-case-insensitive-which-type-to-use-for-the-primary-dri

It pertains to the filesystem type of "HFS" and the limitations within the filesystem type, naming construction, etc..... So even a restrictive filesystem like MSdosFAT would not allow you to do the same.

So after 20+ years using various OSes you still will find your self learning new things or refreshing things you should already have known. Maybe I should buy one of these books

http://www.dummies.com/how-to/computers-software/macs-os-x.html

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

ASA IPS modules reloads 7.3.2 E4

After my 9.3.2 upgrade I 've notice even more IPS modules reloads in my syslog logging.

The IPS-SSP_20-K9-7.3-2-E4.pkg was upgrade a few months back and we are seeing reloads for this SSP20 module on a regular basis and at almost the same time or hour of the day.

So this is not good. I'm not using the IPS module but I do expect it to stay stable. Cisco hasn't really been to creative with placing code out for this module and the IPS is at best inferior to almost all other dedicate IPS appliances

So at best I can do one of the following;

1: downgrade to 7.3.1 E4 ( oops cisco doesn't even have that option only one package exist )

2: reload 7.3.2.E4

For the time being, I'm shutting down that module to see what happens.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

Tuesday, January 13, 2015

Mounting vmdk on Macosx with paragon

One of my cloud partners & I was talking with in the past & about mounting qcow & vmdk format virtual disks on MACOSX and we where not aware of any tool that allows for such activity. Will guess what? " we have one now "

A tool has been release that allows the mounting of other virtual disks formats also. I will demonstrate vmdk disk mounter using paragon.

1st paragon is free , but you have to get a registration & product key. This take a few seconds do and they send the key via email.

my key

PRODUCT KEY: VMDK-MOUNTER-2014-434979472
SERIAL NUMBER: 51537-43450-1B2D9-8213A

After you run thru the installer and it can take some time, you can now execute the application. My 1st try at this software generated a mount_error. I never figured out why, and the vmdk in question works perfectly fine on the vmserver that hosts this image.

Now after you select a vmdk file, you can mount the vm-disk and it will show up into diskutil, mount and df details.

A puppylinux vdi image also gave errors;

Other vdi images gave errors also so I'm still investigating and WTF.

For now, the qcow format diskimage will have to wait. I've sent two email requesting more information from them and they have never responded for my request.

Sales
Fax: 1-888-240-8993
E-mail: sales@paragon-software.com

Corporate Sales/OEM/Partners
Phone: 1-888-347-5462 (1-888-DISK-IMAGE)
Fax: 1-888-240-8993

E-mail
Corporate: enterprise-sales@paragon-software.com
OEM: development@paragon-software.com
Partners: partners@paragon-software.com

This tool is great for security analysis & forensic. You can mount these vm disk images RO using the cli option -readonly

e.g

vdmutil -verbose -vendor vmdk -readonly <image name >

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

Sunday, January 11, 2015

About Me

About Ken Felix

Hello

My name is Ken Felix and I’m a network & security engineer working as a independent consultant. My work with involves a mix or vendors, but mainly deals with ciso, juniper and fortinet in the security/network sector. I 'm consulting with various ServiceProviders and Telco operations in EU/USA/AFRICA and operating within the security cloud services within the USA for various AWS instances. I've stated writing my tips/tricks learned over the last 20+years and recently started placing these on my google blogspot.

My prime talent deals with security & vpn concepts and routing using IOS or IOS-XR. My love stated with ip-internet since my introduction to the internet and ip services while working in the USAF in the mid 90s and then later Worldcom.

I've also worked directly or indirectly with the following business

USAF
GTE
WorldWide Technology
IBM global Networks
IBM advantis
WorldCom
MFS
Southwestern Bell
Sprint
PcQuote/Hyperfeed
WebUnited/Expedient
Host dot Net /Broadband One
Terremark
Sapient
Prolexic
GETESA
Various AWS end-users

As I said, I’m a network & security engineer who happens to works in the SMB , Enterprise and Carrier sectors. My experiences can be summed up to the following.

Fiber optics solutions
SMB, Branch, Campus, and Data Center Routing and Switching
Carrier and Backbone routing
Mail Security Solutions
SIP trunk and Proxy
vData Center & Cloud Solutions
End Host & Network Security
SDN approach & concepts

As you read my posts, I urge you to comment , provide feedback & suggestions. I wish to share information and always open to new ideals, solutions and corrections.

A few great persons & talent that I've encounter over the years that I would like to mention;

Sidney Adeniyi
Marcus Walsco
Ton Lee
Mario Salvador
K Dervin
Rory Case

Personal interest & hobbies;

cooking
Medium/Large BW pinhole photography
Hunting fishing
Archery
Bicycle and Automoto repair
HAM radio HF operations
1st & 2nd amendment advocate and less gov infringement

Ken Felix
kfelix a-t socpuppets.com
Kelix @ nextgenfw.com

Juniper SRX Probe & Track

Like with the cisco Router & ASA you can define a probe and track. The juniper SRX probe gives you full access on the type of probes and is very advance. The type of probes are;

http-get
tcp/udp-port-prings
icmp-pings
etc...

note: The flexibility of these probes are way greater than any cisco ASA current codeset giving the SRX much greater control on probes ( aka IP SLA for cisco folks )

I will demonstrate a very simple icmp-probe check, and if the route to the target is lost, we will inject a new route. In this case, I'm injecting a specific /24 route but the route could be a new default thru a 2nd ISP provider.

1st here's how we do a basic icmp-probe-type ( interval 1 sec probe-count of 5x , the probe is deem failed when we have a total loss , target = 100.100.100.100 )

The monitor that will make the route adjustments based on the assigned probe

The above should be self explanatory, but if the name probe SOCpup should fail, we will execute a route change to add dest.net 9.0.0.0/24 and with a next-hop of 192.168.1.99

We can validate this in route table ip monitor status & status of our active-probes

( notice the failed when our target became unreachable ? )

( status of an active successful probe )

( route injected due to a fail icmp-probe )

Juniper SRX version

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

Socpuppets 10 rules for DataCenter Operations

The Socpuppets 10 general rules for DataCenter security and operations concerns.

Enforce password life-cycles ( expiration and password lengths )

Enforce policies for systems and services as required by the users ( control who gains access and to what )

Enforce administrator access by roles ( limit the number of superusers , provide access by roles or deploy RBACs )

Eliminate external and internal threats by using proper traffic inspection and end-point security controls ( internal and external IPS sensors, end-point controls )

Ensure all OS and network systems software are updated and patched ( monitor software updates and fsb , install WSUS/ SUS / )

Filter traffic at the access-layer as much as possible ( don’t carry unwanted traffic across distribution, aggregation, and edge, & just to be dropped )

Deploy advance UTM features ( AVC, AMP

,URL Filtering )

Deploy internal services firewalls along with access and edge ( multi-tier & statefull inspection firewalls {real or virtual} )

Deploy backups on a regular basis & build a restsoral policy ( incremental, full, off-site )

10:

Deploy West & East redundant and DR DCcenters ( ensure business critical applications availability and continuity exists )

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

Fun with creating a strong but yet easy to remember password

While working with a sysadmin back in the mid 2000s, I learned a simple method for crafting a non-dictionary based password, but yet simple & effective to remember. It's called the "up and to the right " . Take a typical keyboard layout.

A password like xmldjuhs would be presented as the following of if we execute up and to the right by 1 startegy it would look something like this;

Or simply as d k p r i 8 u e . Up and to the right by 2 times would become f l [ t o 9 i r.

You can now take a simple word or phrase and do a simple shift by 1 or 2 and prefix a string and have a strong non-dictionary based password. So using my example, we could take the word xmldjuhs and pre-pend maybe # to the string and use the up & to the right by one.

# d k p r i 8 u e

Here's another example. The Phrases !Soc Puppets# ( intentional space between Soc and Puppets ) becomes !E0F _8--46e# . If we had conducted up and to t he right by 2, the output would have been !R-g +9==57r#

Just another simple means for password strength enhancements. Please follow my password suggestions for stronger passwords.

http://socpuppet.blogspot.com/2014/08/password-creation-guide-lines-by.html

The above link provides guidance to prevent dictionary & brute-force based attacks. With enough time and passwords technically can be brute-forced if you had enough time and processing power.

Ken Felix

NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \

Saturday, January 10, 2015

bzip2 vrs xz ( Should we be using it for day to day functions ? )

In this post, I will show a simple demonstration with bzip2 vrs xz.

http://en.wikipedia.org/wiki/Xz

As you should know, the bzip2 compression libs typically achieves a higher compression ratios for the same data vrs other popular known compression utilities. In this case, my test file named "bigfile.txt" was compressed with bzip2 and then xz . I took a md5 hash of the original data file to show you that nothing has changed and it's the exact same file

Please enjoy !

The Compression bake-off ( bzip2 vrs xz )

note that xz was 2x+ plus more in time for total operation but it gained far more compression.

For S@#t and Grins, I threw in gzip so you can see the total compression values gained.

Now I'm not advocating that everybody should run out and start using xz in all cases, " but a penny saved, is a penny earned". If you take the above file and let's say you have 1000s of these files on a longtime storage archive/media. And then you wanted to save precious disk space, xz will go a long way with saving disk space.

These two pictures shows you the final word the choice is up to you.

( space savings )

( total system time for compressing )

Compression should be look at with the following thoughts;

time to compress
final compression ratio
total memory consumptions
will data be at rest or in motion ( storage & bandwidth savings and calculations )

We've have came a long way from pkzip and stacker compression ;)

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( + + )=
    o
   / \

Friday, January 9, 2015

pfSense 2.1.5 upgraded

I've upgraded one of my local firewall to pfSense 2.1.5.

Every thing seems to be working great. Even the BGP sessions came up with no issues.

pFsense has lead the way in opensource firewall and even have a few hardware appliance now available. These devices have the same interface reliability of the opensource code that you can run on your favorite hardware.

You can follow pfSense at https://blog.pfsense.org/ or via twitter https://twitter.com/pfsense

You can contact socpuppets for assistance with pfsense implementations.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com

    ^     ^
=( * * )=
    o
   / \