Thursday, April 30, 2015

HOWTO: check RC4 MD5/SHA support for SMTP over TLS

To recap  this previous thread, a sure way to test for support for RC4 and w/SMTP TLS  connections for mail.

http://socpuppet.blogspot.com.es/2013/02/testing-for-tls-support-wwwsmtp-with.html

You need to specify the RC4 ciphers in your offerings to the mail-server and see if you get connected.

I just found out today that google is accepting  RC4 MD5/SHA for mail;


Also other common mail systems support it also;


It's a mistake to assume the global system config with ; set strong-crypto disable  will block RC4 TLS connections. This command only blocks  RC4 for webGui access.

The my fortimail host  ( with and without strong-crypto enabled ) has nothing todo with SMTP and TLS connections.


The Enabling of FIPS mode operation is a sure way to disable and weak ciphers.


Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( #  # )=
      @
      /   \


Wednesday, April 29, 2015

fortinet beta is open

FTNT is cool in that it welcome end-users into the beta program. The  url link for accessing this program

https://support.fortinet.com/BetaProgram/BetaProgramStatus.aspx

Based on your "active" contract and the type of devices you have , you could be welcomed for beta testing various platforms.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Friday, April 24, 2015

Our cisco ASA 9.4.1 ( new features highlights )

I was reviewing the latest firewall code for the cisco ASA   9.4.1 . Here's a few snapshot of the features that caught my eye.

fips mode specific issues


We now have dhcp monitor statistics for ipv6 hosts


PBR...say it isn't so ( A long time  routing feature that been missing )


Well this is good!



here's your migration strategy to get to 9.4.1


I have to say, this is all good news from the CSCO camp.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  :    : )=
        o 
       /   \

Wednesday, April 8, 2015

route-server for network paths analysis

The following URL  http://routeserver.org/ has a list of public route server that are open to the public. Almost every continent  has some type of public offering.




These could be cisco, juniper or Quagga/Zebra based systems and almost all requires a basic 1st/2nd level authentication and the banner open telnet will show the login details.

e.g


NOTE: not all  route server support BGP ipv6


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Friday, April 3, 2015

FortiMail expose users and admin login details via httpd debugs

I was playing around with  a fortimail  operating version "v5.1,build286,141023 (5.1.4 GA)" and found a serious flaw imho  & that exposes users.

The diag debug application httpd commands will expose the webgui login details regardless if it's for a  system  admin or local user.

Here's the diag debug command used ;


Now here's some debug outputs from a few trace-logs;

AdminLogin


Local_User


So even if the  user password is encrypted, the passwords will be displayed in the trace-log.


What this boils down to;

Any mail admin can access the  diag debug command and all user login/password or other admins access information by the enabling of a debug httpd trace


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \