ipv4 and ipv6 allocations

I was speaking with a virtual hosting partner on ipv4 allocations vrs ipv6 allocations.

The following  link is a good summary of just how badly ipv4 was allocated and due to  continent allocations http://subnettingpractice.com/ip_allocation.html

In brief ;  the numbers of  ipv4 address space was divided very unequal between Africa , Asia and Latin Americas.

With ipv6 allocations the prefixes are divided roughly equally between addressing Internet Registries

 The following  pie charts show these allocation blocks for the 5 registries

 pretty much balanced


Ipv4 is a different story;

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

What SSL inspection security features ( fortigate )

A discuss was in play on the fortinet  forum about ssl inspection and many questions has risen over the inspections within SSL  & fortigates.

What I've found out;  that the ssl inspection will let any web-client to establish HTTPs sessions to site with small-keysizes,  or using  any weak ciphers. Also Certificate Revocation is not strictly enforced nor is OCSP mandated. So this leave you left  with the security functions of user  web-browser and OS.

Firefox seems to be slightly ahead of the game when compared to Chrome or Opera, but leaving security controls at the hands of the end-user will always equal to a disaster.

For example, I reconfigured my Apache2 webserver with a 384bit key and with SSLv3 enabled-only.

The fortigate allow access to this site with SSL inspections enabled.

The same happen  if we  had   RC4-SHA for cipher suite enabled.  Even a site with revoked CRLs was pass thru blindly.

Firefox will drop  sessions using tls1 and a key-size of 384 bits & provide you a generic warning

All of these would be very bad for a high security website & places the end-user data at risk.

Question?:

So how do we secure a client from accessing a website with the above?

Response:
You will need to use a 3rd party appliance proxy that has tighter acceptance controls.

Just the meer inspecting of certificate serial#,  expiration-DATE,  & CAtrust is not enough. Disallowing  clients access to weak and vulnerable website should be restricted and enforced imho.

Openssl will describe the various ciphers for low medium and high;

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

ASA IPS-SSP_20 upgrades

A new  7.3.4.-E4 code has came out for the cisco IPS modules. I'm going to upgrade a few IPS modules to see what's new.

IPS-SSP_20-K9-7.3-4-E4.pkg
http://www.cisco.com/c/en/us/support/security/intrusion-prevention-system/products-configuration-examples-list.html

What I found out  that was shocking, if you execute  password recovery from the cisco ASA cli  using hw-module password reset, the  IPS downgrade & reverted back to to a earlier versions of code.

I think this has to do with the recovery partitions I will test a few more and see what comes up

Here's the current upgrade 7.3.4-e4

The main reason this upgrade the IPS modules, was to test the  AAA radius access & to see if radius-acct was included. It seems like it  has not be added in version 7.3.4-e4.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

ipv4 map hex address tip

I was demo'ing a few ipv6 address format and one tip that I would like to point out. If you every wanted to generate a map ipv4  hex-address and using the 32bit address just use the ping6  & specify your 32bit address and the OS will convert it to a map hex decimal value.

Take the  ipv4 32bit address of  10.10.80.1 ,  how do we find the  hex-decimal value?


SOC1>ping6 2001::10.10.80.1
PING6(56=40+8+8 bytes) 2001:db8:99:101:74cd:bd15:c861:9abf --> 2001::a0a:5001

a0a5001 would our  hex-decimal for 10 10 80 1. So if you ever have a exam and one of the question is to transpose a 32bit ipv4 into the hex equal, this simple tip could speed up the conversion.

btw this works under macosx, linux , bsd, and cisco IOS/IOS-XR


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

juniper SRX upgrade via ftp

Here's a simple and effective means for upgrading a  SRX via the cli and using ftp. You can even probably script this onboard and run the script against your ftpserver.

1st I enabled ftp-daemon on my macbook

sudo -s launchctl load -w /System/Library/LaunchDaemons/ftp.plist

 Since my  main computer is a mac.

2nd, we execute the request command and specify the ftp-url

3rd and lastly you will reboot the system

as you can see the upgrade failed due to the image and platform.


I found it funny that if you try to use a  ftp-ipv6 url , it does not work;

ftp://kfelix:mypasswordhere1@[2001:db8:8::6a5b:35ff:feab:3d27]/junos-srxsme-12.3X48-D15.4-domestic.tgz

check your  username/password  to ensure the credentials and file is correct



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Fortimail disable SSLv3

Here's a means to  validate that SSLv3 is disable in a fortimail.  You can use openssl or your web-browser or a SSLv3 checker.

e.g

https://foundeo.com/products/iis-weak-ssl-ciphers/

 Here's a proper disable sslv3 and sslv2  (  Fortimail Appliance )

 And a at risk site ( a apache website of mine for testing )

So ensure your fortimail appliance does not except sslv3 connections. In fact all of your website should be secured from sslv3 & sslv2 connections.

To disable sslv3 support;


confg sys gobal
    set strong-crypto enable
end

And you can test via the above link or via openssl;

SSLv3 is now known to have flaws and you should stay aware of the Vulnerabilities and any listed CVEs

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Basic BGP configurations huawei

Here's two examples of enabling  bgp peering for ipv4-unicast or ipv6-unicast  for huawei  routers.

Like with a cisco, you have to use a ipv4 address for the bgp router-id

A few  usefull bgp show comamnds for huawei;

   display bgp sum 
   display bgp peer verbose 
   display bgp peers
   display bgp routing-table 
   display bgp ipv6 routing-table
   reset bgp all ( reset all bgp  sessions )
   reset bgp group < group name> ( reset just those peers in that group )
   reset bgp  1.1.1.1 ( reset just the defined peer )
  
www.huawei.com/
 
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

SANS training calendar

information for upcoming SANS training events

http://www.sans.org/security-training/by-location/all?utm_source=web&utm_medium=text-ad&utm_content=generic_rr_pdf_list1&utm_campaign=Reading_Room&ref=36919


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Testing certification revocation

Testing  your browser revocation is quite simple.A site with a revoked certificates exists just for this testing. You can use the following URL. Great for testing your  browser security features or a proxy.

https://revoked.grc.com/

Now here's some  screenshos of firefox /  chrome / safari  /opera on a MACOSX 10.10.4 you will be surprised

firefox

chrome

safari

opera

These browsers are going a linux-tinyurl  proxy, which does not  offload , or any cert revocation checks. So whatever the browser does or does not do is passed-thru. A few proxies exist that will conduct crt -revocations checks for non-supported browsers.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

ipv6 fun IOS-XR

In this post I will list some interesting things in  IOS-XR

1st vrf unicast ipv6 max-prefix counts are limited on the small at 32prefixes. So if you want to limit a vrf to less ipv6-prefixes you CAN NOT.

RP/0/RSP1/CPU0:CRCHI1#show run vrf
Wed Aug 12 13:21:32.266 CST
vrf GED01
 description  Network 192.168.10.0
 address-family ipv4 unicast
  maximum prefix 1000
 !
 address-family ipv6 unicast
  maximum prefix 32    <------HERE
 !
!


2nd, I found out the mgmt interface  can not participate in IPv6 -RAs. So if you want to advertisea prefixes using the mgmt interfaces it will not work

3rd, when you try to exceed  your max prefixes per that vrf, you will receive a warning and the prefixes that exceeds the limits will be drop.

Next, ipv6 address and ND RA is similar to  IOS. Here's a sample cfg.

Lastly, like other devices, the  max amount of IPV6 prefixes you can advertise is limited by the link MTU size. A 1500byte MTU limits you to approx 32-44 prefixes max depending on your  RA configuration and if you have other goodies and ipv6 DNS, domain or search list.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Sonus SBC 5110 stuck no access

I'm up now at 03:00AM to reset a  SONUS SBC that's running with no WebGUI access. Been like that for the last  3 weeks while we attempt to get a release for maintenance from the SP.

 That's right, we have to stop Apps and reboot a host just to gain WebGUI or SSH access.

The  5K SBC are great little boxes that runs, but they can provide a ton of issues & support is skeptical  at finding resolutions imho.

I hope in the near future to start evaluations of the Genband Q series platform.

http://www.genband.com/products/session-border-controllers

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Fortimail upgrades

I've been  evaluating  the  fortinail build 290 on a FML100C. This is the last build out for this model btw.

You can upgrade in the following migration steps

So my unit which has been running flawlessly for the last  6+ months  under went a upgrade.

And after all upgrades it's best to execute simple and quick mail checks ( can I send and receive email, open-relay checks,etc... ) And monitor over the next  96 hours.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

pfsense ipv6 router preferences

With the opensource pfsense firewall solution and with ipv6 , you have the luxury to set the  router preferencia in the ICMPv6-RAs. This can help when you have multiple routers available for an lan subnet.

When you have the ipv6 address enabled on a local interface, the  higher preference is used for the network next-hop

In the ICMPv6 RA you can validate the preference. Here's a few examples of a pfSense firewall RT-ADV settings and validations

tcpdump output

router preference  set high  prf

router preference normal prf plus other goodies to include search list and DNS servers

You can not adjust  basic items such as inteval default lifetines, min/max lifetimes, from the webGUI 


You can use the  online pfSense KB for more information & the differences in the mode ( managed,  unmanged, router-only ). Also the tcpdump/tshark output will reflex the bits that are changed and raised in the Router-Advertisements.

https://doc.pfsense.org/index.php/Router_Advertisements

https://en.wikipedia.org/wiki/PfSense

It best to understand the differences of managed , unmanaged, & stateless DHCP,etc.....

Pfsense is one of the coolest opensource network firewall out.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \