Monday, January 19, 2015

Dead Gateway detect fortigate

In a multiple ISP uplink and w/static routes, you need a means to control how to "swack" ( telco lingo for switching ) to the 2nd ISP2 when the main ISP1 is down. Gateway detect is the means for  this.

Take a look at this simple diagram;






So we want ISP1 to be our primary and ISP2 to be in play if ISP#1 is down. Here's one way to  manipulated with static routes

config router static
   config router static
    edit 10

        set device "wan1"
        set gateway 1.1.1.1

        set priority  90
    next
    edit 11


        set device "wan1"
        set gateway 2.2.2.1

        set priority 100 
    next


NOTE: Any routes other than blackhole routes on a fortigate can have the priority set. The lower value is preferred if you have 2 matching routes.

So now we can set the dead gateway detect

config router gwdetect
    edit "wan1"
        set failtime 100
        set interval 30
            set server "1.1.1.1"            
        set source-ip 1.1.1.2
    next
end


NOTE:you will adjust the interval and failtime values to suit your needs and to encompass any flapping. You can be aggressive or less-aggressive in your interval and failtime

So if 1.1.1.1 ( ISP1  )  becomes unreachable  ( link down, excessive packet loss, etc......) , the stand-by floating route at  2.2.2.1 with a priority of  100 will populate the  fortigate router information base.

You can validate  gwdetect via  the follow show cmd

 get router info gwdetect

wan1:
    proto ping, interval 30, failtimes 100, state up
    1.1.1.1 (1.1.1.2 ): state (up)



You can use protocols similar to juniperSRX probe or cisco IP SLA ( icmp/udp/tcp ) and you don't have to use the next-hop as the target, it could be a device 1-2-3 or more hops aways.


NOTE: please ensure you have the correct policies for traffic allowance outbound for the 2nd ISP#2 link.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

nV ASR IOS-XR vrf ( Satellite Network Virtualization (nV) System )

I was researching some unresolved VRFs interface  and found this vrf that I had no clue as  to why it was present until I did some deep researching.


  RP/0/RSP0/CPU0:CORE01#show vrf all
  Mon Jan 18 12:33:46.168  CST
  VRF                  RD                  RT                         AFI   SAFI    
  **nVSatellite        not set           
  Management           not set           
  RP/0/RSP0/CPU0:CORE01#


If you have the following  package install    {  disk0:asr9k-9000v-nVx.x.x } , the above vrf will be created automatically by IOS-XR.  And the following internal interface will be crafted and bound to that VRF.


  show vrf **nVSatellite  det
  Mon Jan 18 12:34:00.498 CST

  VRF **nVSatellite; RD not set; VPN ID not set
  VRF mode: Regular
  Description not set
  Interfaces:
    nV-Loopback0
  Address family IPV4 Unicast
    No import VPN route-target communities
    No export VPN route-target communities
    No import route policy
    No export route policy
  Address family IPV6 Unicast
    No import VPN route-target communities
    No export VPN route-target communities
    No import route policy
    No export route policy


You can find more information at the following Satellite NetworkVirtualizationSystem at the following link;

http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-2/nV/configuration/guide/b_nv_cg52xcrs/b_nv_cg52xcrs_chapter_00.html#concept_83ED4DF362ED48CD9A938AC20BC2E7D4


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

pfSense configuration management

Here we will look at a few config management tips. 1st off the pfSense firewall allows for you to make backups that are Encrypted or none-Encrypted. This  really helps if you want to share or redeploy the configuration xml file between units.


WebGui   diagnostic >backup/restore


The file is encrypted using a user provided password. Here's an output of  encrypted file;




NOTE: the file extension is stills a  "xml",  but the data between  BEGIN config.xml and END config.xml is now encrypted.

The pfSense also has the ability to preform configuration diffs from the WebGUI. Most modern firewalls don't even offer this capability outside of JuniperSRX and PaloAlto-NETWORKS PAs
( show conf | compare rollback    or     show config diff   respectively )


( sample diff screen )







So you have a few tricks for cfg management and storage and diff.



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \


A NX-OS logging default vrf tip

If your having problems with the SYSLOG logging, you need to be  made aware that the interface used is always the "management vrf" be default .

Just by configuring the "source" interface for SYSLOG  with in the NX-OS configuration, will NOT cause the SYSLOG to work using that interface that's defined if it's not part of the management vrf.

My local interface for logging as defined in the logging configuration;

logging source-interface Vlan200

Where is clearly not  defined in any vrf so it's in the "default" vrf table.


interface Vlan200
  no shutdown
  mtu 1500
  ip address 10.10.130.202/23



So if you look closely  in my logging configuration screenshot  you will see the issue on how you correct this;


Notice you have to get the logging server defined to use "default" vrs "management"


And now a simple tshark dump using syslog for the display filter , will shows my log messages are actually be sent and received;



Just a quick tip if your ever  wondering why your  syslog does not work. You can also validate using the following show command "show logging server"


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Friday, January 16, 2015

A follow up on MACOSX HFS and case sensitive

I did a test with a diskimage  that was  set for case sensitive and here's some screenshots. Why the default disk is case insensitive is strange and I never really knew this until my shell script testing issue.

This could generate problems if you had a tarball with files with  the same name but different lettercase extracted into the same directory.




And to show possible file extraction issues  ( tarball ) &  if you had files in a tar/rar with similar names but different cases.

1st I took the files from the case-sensitive volume and created a tarball, we copy the tarball to a case-insensitive volume which has a directory named "jim".  Watch the outcome when I extract  the files from  the tarball.





The extracted  tarball trump my  existing directory and the other four files where not included. Just be aware of this.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

juniper finally release some code 12.1X46-D30

New  code came out from Juniper SRX series 12.1x46 tree.



So I will be busy in the upcoming weeks for preparing SRX firewalls  to under go software upgrades & only after we go thru lab testing and qualifications.



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \




Wednesday, January 14, 2015

Strange MACOSX behavior ? Really not so !

I was working on unix shell  script for finding and parsing files using the "unix find" and ran across something on my  MACOSX host that I wanted to share & remind you of.

Check this out , 1st up a typical  LINUX DEBIAN HOST


Okay that's simple; "  we touch  5 files name jim with different  character case." 

Using  the unix  find and  "-iname" ( ignore case name  ) and we found the 5 files. Okay this is good and correct behavior what I was expecting to find ( once again excuse the pun )

Okay next up , a  MACOSX 10.10.1 aka Yosemite b14B25



So I'm like scratching my head as to why I can't touch 5 files name Jim & with various character letter case.  Okay maybe this is a BSD thing since MACOSX is grown from the BSD family.

So let's see if a OpenBSD hosts has the same issue ( btw OpenBSD is my favorite OS just to let you know )

( openbsd )



(freebsd)




So what I learned today; " is macosx is really screwed up and when testing scripts,  it best to test them on  the actual host you planning to run these on ". I  collaborate with some other mac users to see if  they can shed some light on this and why and we came up with this.

http://apple.stackexchange.com/questions/8016/hfs-case-sensitive-or-case-insensitive-which-type-to-use-for-the-primary-dri

It pertains to the filesystem type of "HFS" and the limitations within the filesystem type, naming construction, etc..... So even a restrictive filesystem like MSdosFAT would not allow you to do  the same.

So after 20+ years using various OSes you still will find your self learning new things or refreshing things you should already have known. Maybe I should buy one of these  books

http://www.dummies.com/how-to/computers-software/macs-os-x.html


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \


ASA IPS modules reloads 7.3.2 E4

After  my 9.3.2 upgrade I 've notice even more IPS modules reloads in my syslog logging.



The IPS-SSP_20-K9-7.3-2-E4.pkg was upgrade a  few months back and  we are seeing  reloads for this SSP20 module on a regular basis and at almost the same time or hour of the day.

So this is not good. I'm not using the IPS module but I do expect it to stay stable. Cisco hasn't really been to creative with placing code out for this module and the IPS is at best inferior to almost all other dedicate IPS appliances





So at best I can do one of the following;

1: downgrade to  7.3.1 E4  ( oops  cisco doesn't even have that option only one  package exist  )

2: reload  7.3.2.E4


For the time being, I'm shutting down that module to see what happens.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \


Tuesday, January 13, 2015

Mounting vmdk on Macosx with paragon

One of my  cloud partners & I was talking with in the past & about mounting qcow & vmdk format virtual disks on MACOSX  and we where not aware of any tool that allows for such activity. Will guess what?  " we have one now "

A tool has been release that allows the mounting of  other  virtual disks formats also.  I will demonstrate  vmdk  disk mounter  using paragon.



1st paragon is free , but you have to get a registration & product key. This take a few seconds do and they send the  key via email.



my key

PRODUCT KEY:   VMDK-MOUNTER-2014-434979472
SERIAL NUMBER: 51537-43450-1B2D9-8213A




After you run thru the installer and it can take some time, you can now  execute the application. My 1st try at this software generated a mount_error. I never figured out why,  and the  vmdk in question works perfectly fine on the vmserver that hosts this image.


Now after you select a vmdk file, you can mount the  vm-disk and it will show up into diskutilmount  and df details.



A puppylinux vdi  image also gave errors;


Other vdi images gave errors also so I'm still investigating and WTF.



For now, the qcow format diskimage will have to wait. I've sent two email requesting more information from them and they have never responded for my request.



Sales
Fax: 1-888-240-8993
E-mail: sales@paragon-software.com

Corporate Sales/OEM/Partners
Phone: 1-888-347-5462 (1-888-DISK-IMAGE)
Fax: 1-888-240-8993

E-mail
Corporate: enterprise-sales@paragon-software.com
OEM: development@paragon-software.com
Partners: partners@paragon-software.com

This tool is great for security analysis & forensic. You can mount these vm disk images  RO using the cli  option  -readonly

e.g 

vdmutil  -verbose -vendor vmdk -readonly  <image name >
 

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Sunday, January 11, 2015

About Me




About Ken Felix

Hello

My name is Ken Felix and I’m a network & security engineer working  as a independent consultant.  My work with  involves a mix or vendors,  but mainly deals with ciso, juniper  and fortinet in the security/network sector.  I 'm consulting with  various  ServiceProviders and Telco operations in EU/USA/AFRICA and operating  within the security cloud services  within  the USA for various AWS instances. I've stated writing my tips/tricks learned over the last 20+years and recently started placing these on my google blogspot.

My prime talent deals with security & vpn concepts and routing using IOS or IOS-XR.  My love stated with ip-internet  since my  introduction to the internet and ip services while working in the USAF in the mid 90s  and then later Worldcom.

I've also worked directly or indirectly with the following  business

USAF
GTE
WorldWide Technology
IBM global Networks
IBM advantis
WorldCom
MFS
Southwestern Bell
Sprint
PcQuote/Hyperfeed
WebUnited/Expedient
Host dot Net /Broadband One
Terremark
Sapient
Prolexic
GETESA
Various AWS end-users


As I said, I’m a network &  security engineer  who happens to works in the SMB , Enterprise and Carrier sectors. My experiences can be summed up to the following.
  • Fiber optics solutions
  • SMB, Branch, Campus, and Data Center Routing and Switching
  • Carrier and Backbone routing
  • Mail Security Solutions
  • SIP trunk and Proxy
  • vData Center & Cloud Solutions
  • End  Host  & Network Security 
  • SDN approach & concepts
As you read my posts, I urge you to comment , provide feedback & suggestions. I wish to  share information and always open to new ideals, solutions  and corrections.

 A few great persons  & talent that I've encounter over the years  that I would like to  mention;

Sidney Adeniyi
Marcus Walsco
Ton Lee
Mario Salvador
K Dervin
Rory Case

Personal interest & hobbies;

cooking
Medium/Large BW pinhole photography
Hunting fishing
Archery
Bicycle and Automoto repair
HAM radio  HF operations
1st & 2nd amendment  advocate and less gov infringement

Ken Felix
kfelix a-t socpuppets.com
Kelix @  nextgenfw.com

Juniper SRX Probe & Track

Like with the cisco Router & ASA you can  define a probe and track. The juniper SRX probe gives you full access on the  type of probes  and is very advance. The type of probes are;

  • http-get
  • tcp/udp-port-prings
  • icmp-pings
  • etc...
note:  The flexibility of these probes are way greater than any cisco ASA current codeset giving the SRX  much greater control on probes ( aka  IP SLA for cisco folks )


I will demonstrate a very simple icmp-probe check, and if the route to the target is lost, we will inject a new route. In this case, I'm injecting a specific /24 route but the route could be a new default thru a 2nd ISP provider.

1st here's how  we do a basic icmp-probe-type ( interval 1 sec probe-count of 5x , the probe is deem failed when we have a total loss , target = 100.100.100.100 )




The monitor that will make the route adjustments based on the assigned probe


The above should be self explanatory, but if the name probe SOCpup should fail, we will execute a route change to add  dest.net 9.0.0.0/24 and with a next-hop of 192.168.1.99

We can validate this in route table ip monitor status & status of  our active-probes

( notice the failed when our target became unreachable ?  )



( status of an active successful probe )


( route injected due to a fail icmp-probe )






Juniper SRX version 

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \



Socpuppets 10 rules for DataCenter Operations


The Socpuppets  10 general rules for DataCenter security and operations concerns.

1:
Enforce password life-cycles ( expiration and password lengths )

2:
Enforce policies for systems and services as required by the users ( control who gains access and to what  )

3:
Enforce administrator  access  by roles ( limit the number of superusers , provide access by roles or deploy RBACs )


4:
Eliminate external and internal threats by using proper traffic inspection and end-point security controls ( internal and external IPS sensors, end-point controls )


5:
Ensure all OS and network systems  software are updated and patched ( monitor software updates and fsb , install WSUS/ SUS / )

6:
Filter traffic at the access-layer as much as possible ( don’t carry unwanted traffic across distribution, aggregation, and edge, &  just to be dropped )

7:
Deploy advance UTM features ( AVC, AMP

,URL Filtering )

8:
Deploy internal services firewalls along with access and edge ( multi-tier & statefull inspection firewalls  {real or virtual}  )

9:
Deploy  backups on a regular basis  & build a restsoral policy  ( incremental, full, off-site )

10: 
Deploy West & East redundant and DR DCcenters ( ensure business critical applications availability and continuity exists )


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Fun with creating a strong but yet easy to remember password


While working with a sysadmin back in the mid 2000s, I learned  a simple method for crafting  a non-dictionary based password,  but yet simple & effective to remember. It's called the  "up and to the right " . Take a typical keyboard layout.



A password like xmldjuhs would be presented as the following of if we execute up and to the right by 1 startegy it would look something like this;


Or simply  as  d k p r i 8 u e  .  Up and to the right by  2 times would become   f l [  t o 9 i r.

You can now take a simple word or phrase  and do a simple shift by  1 or 2 and prefix a string and have a strong non-dictionary based password. So using my example, we could take the word xmldjuhs and  pre-pend maybe # to the string and use the  up  & to the right by one.

d k p r i 8 u e


Here's another example. The Phrases !Soc Puppets# ( intentional space between Soc and Puppets ) becomes !E0F _8--46e# . If  we had conducted  up and to t he right by 2,   the output would  have been !R-g +9==57r#

 
Just another  simple means for password strength enhancements. Please follow my password suggestions for stronger passwords.

http://socpuppet.blogspot.com/2014/08/password-creation-guide-lines-by.html

The above link provides guidance to prevent dictionary & brute-force based attacks. With enough time and passwords technically can be brute-forced if you had enough time and processing power.

Ken Felix

NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \


Saturday, January 10, 2015

bzip2 vrs xz ( Should we be using it for day to day functions ? )

In this post, I will show a simple demonstration with  bzip2 vrs xz.

http://en.wikipedia.org/wiki/Xz

As you should know, the bzip2 compression libs typically achieves a higher compression ratios for the same data vrs other popular known compression utilities. In this case, my test file named "bigfile.txt" was compressed with bzip2 and then xz . I took a md5 hash of the original data file to show you that nothing has changed and it's the exact same file


Please enjoy !




The Compression bake-off  ( bzip2 vrs xz  )



note that xz was 2x+ plus more in time for total operation but it gained far more compression.



For S@#t and Grins, I threw in gzip so you can see the total compression values gained.



Now I'm not advocating that  everybody should run out and  start using  xz in all cases, " but a penny saved,  is a penny earned". If you take the above file and let's say you have 1000s of these files on a longtime storage archive/media. And then you wanted to save precious disk space, xz will go a long way with saving disk space.

These two pictures shows you the final word the choice is up to you.

( space savings )



( total system time for compressing )


Compression should be look at with the following thoughts;

  •  time to compress
  •  final compression ratio
  •  total memory  consumptions
  •  will data be at rest or in motion ( storage & bandwidth savings  and calculations )
We've have came a long way from  pkzip and stacker compression ;)


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  +  + )=
        o 
       /  \

Friday, January 9, 2015

pfSense 2.1.5 upgraded

I've upgraded one of my  local firewall to pfSense 2.1.5.






Every thing  seems to be working great. Even the BGP sessions came up with no issues.



pFsense has lead the way in  opensource firewall and even have a few hardware appliance now available. These devices  have the same interface reliability of the opensource code that you can run on your favorite hardware.

You can follow pfSense at  https://blog.pfsense.org/  or via twitter https://twitter.com/pfsense

You can contact socpuppets for assistance with pfsense implementations.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \