HOWTO: check RC4 MD5/SHA support for SMTP over TLS

To recap  this previous thread, a sure way to test for support for RC4 and w/SMTP TLS  connections for mail.

http://socpuppet.blogspot.com.es/2013/02/testing-for-tls-support-wwwsmtp-with.html

You need to specify the RC4 ciphers in your offerings to the mail-server and see if you get connected.

I just found out today that google is accepting  RC4 MD5/SHA for mail;

Also other common mail systems support it also;

It's a mistake to assume the global system config with ; set strong-crypto disable  will block RC4 TLS connections. This command only blocks  RC4 for webGui access.

The my fortimail host  ( with and without strong-crypto enabled ) has nothing todo with SMTP and TLS connections.

The Enabling of FIPS mode operation is a sure way to disable and weak ciphers.


Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( #  # )=
      @
      /   \

fortinet beta is open

FTNT is cool in that it welcome end-users into the beta program. The  url link for accessing this program

https://support.fortinet.com/BetaProgram/BetaProgramStatus.aspx

Based on your "active" contract and the type of devices you have , you could be welcomed for beta testing various platforms.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Our cisco ASA 9.4.1 ( new features highlights )

I was reviewing the latest firewall code for the cisco ASA   9.4.1 . Here's a few snapshot of the features that caught my eye.

fips mode specific issues

We now have dhcp monitor statistics for ipv6 hosts

PBR...say it isn't so ( A long time  routing feature that been missing )

Well this is good!

here's your migration strategy to get to 9.4.1

I have to say, this is all good news from the CSCO camp.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  :    : )=
        o 
       /   \

route-server for network paths analysis

The following URL  http://routeserver.org/ has a list of public route server that are open to the public. Almost every continent  has some type of public offering.

These could be cisco, juniper or Quagga/Zebra based systems and almost all requires a basic 1st/2nd level authentication and the banner open telnet will show the login details.

e.g

NOTE: not all  route server support BGP ipv6


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

FortiMail expose users and admin login details via httpd debugs

I was playing around with  a fortimail  operating version "v5.1,build286,141023 (5.1.4 GA)" and found a serious flaw imho  & that exposes users.

The diag debug application httpd commands will expose the webgui login details regardless if it's for a  system  admin or local user.

Here's the diag debug command used ;

 

Now here's some debug outputs from a few trace-logs;

AdminLogin

Local_User

So even if the  user password is encrypted, the passwords will be displayed in the trace-log.

What this boils down to;

Any mail admin can access the  diag debug command and all user login/password or other admins access information by the enabling of a debug httpd trace


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \