Thursday, December 29, 2016

DUAL ACT ACT F5 GTM

If you ever want to  run a cluster of GTMs in a DC in active for handling DNS requests, you only need to activate a 2nd traffic group and set this up for a listener.

This allow you to handle more DNS requests  per second and share dns load to some degree.




And for both  traffic-group1 and 2, you need a listener enabled udp and tcp




Now in your zone file you will list these address for NameServer resource records.







Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
  




Sunday, December 25, 2016

HOWTO: delete the fortigate admin account

The installed out of the box  fortigate  has a user account named  "admin" . It's a pre-defined account that can not be deleted. You have away to eliminate it tho in a round-about way.


1st create a new local account with Super_User profile


config sys admin
     edit mynewadmin
           


2nd, rename the "admin" account to a new named

e.g

config sys admin
  rename admin to  deladmin
end

3rd now delete the newly defined  named ensure  the account is not in used or logged in.


e.g

config sys admin
    delete  deladmin
end



The  reserved names of "" and  ""  can not be used or eliminated





Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Merry Christmas

Merry Christmas and happy holidays from SocPuppets










Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Sunday, December 18, 2016

FortiAnalyzer dual AAA tacacs servers bugid 0375204

Will support sent me a follow-up email about a previous  case where redundant AAA servers where not being honored when we used the user-type of group.

 They  listed this as bug 0375204










So with  the new build out I gave it a test run and the problem is fix.

v5.4.2-build1151 161213 (GA)







Be advise ipsec is not support in 5.4.2 so you have to unset the ipsec tunnel on the fortigate






 




















Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, December 16, 2016

How to enable debug.level logging f5 APM

For the f5 policies you can easily modify the logging  level for more verbose logging output. Here's an example of just how todo this.


You will need  tmsh access, a administrator or  resourceadministrator role and modify the  logging  level



And then re-check after execution




To undo the changes to the level and to revert back










Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

how to test various bad ssl

When using  proxy or  SSL inspection devices,  it's vry nice to be able to test for various ssl errors. The site and when use with your  client-browser can assist and help with identifying errors.

 Each browser can exhibit differences in alert or warnings or errors based on; browser type, revision, security settings, any path or MiTM inspection devices, etc.....


badssl  dot com has had this site out for a while & with the means to draft various browser  conditions and by clicking that link you can create that  condition

examples of just some of the conditions

 


( cert expire, sha1, weak dhgrp,etc.....)


So  let's say you want to check your browser  error and function with a expired_certificate & the reported outcome.


( examples )



 FireFox


 Opera


 Chrome



I've used this  site when testing the FortiGate  ssh inspection or other security appliance that handles HTTPs inspections or MiTM. Or to find out if your HTTPS proxy does any  certificate validations.



Ken Felix



kfelix @ socpuppets.com

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \



Tuesday, December 13, 2016

cacert and letsencrypt differences

A few differences exists between these 2 open Certificate Authorities  ( aka CA ) , &  I will try to list a few of these differences

Cacert.org

https://cacert.org

  • is open and follows the typical open community approach
  • inclusion is small, almost no modern browser trust them ( it's really self-Sign imho )
  • issues certificate at 6month intervals 
  • has one of the easiest of domain_validation based on ICANN or whois data
  • does not use any on host software or applications for management issue or revocation
  • very good CA if you don't care for established trust-anchor and are testing SSL/TLS certificate
  • cares less about FQDN being real ( you can issue a certificate for a FQDN that is not alive or even  exists )
  • does scrutinize the CSR details 
  • requires domain validation 
let'sEncrypt
https://letsencrypt.org/
  • much more advance
  • requires more work and dependencies to get it up ( e.g  ACME ) but the end it is worth it!
  • issued at  90days expirations
  • requires a FQDN to be set in "place" and correct
  • inclusion list is strong,  heck way stronger than  cacert ( trusted by quite a few browsers to be specific  )
  • is trusted and trust worthy in the big web CA chain
  • scrutinize CSR details to be correct
  • requires domain validation  ( you  might be able to  issued on internal only ( aka "dot" local )
Conclusion

Let'sEncrypt If your cheap,  on a budget ,  testing a development  site, and need a short stroke issued certificate. This is hands down what you should use.

If you need a internal CA for let's say a "enterprise" org  ,and have no CA built,   have no budgte, have no understanding of CA design, than hands down the  cacert.org is ideal for in these cases.



Knowing and understanding  the differences between these two free CAs , and where one is best suited is a must.





kfelix @ socpuppets.com

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Cacert as a open CA ( account management )

Cacert has been around for some time now.

https://cacert.org/

I've been playing with them this year and one cool feature has been the client_AUTH_crt for the user interface.

This ( client_AUTH )  allow for  a quick and simple  CertManager interface access with no password.

FWIW: The password recovery in the cacert.org website is very bad imho, but outside of that certificates are easy to craft &  once you have been approved.  The approval process  requires a simple DomainValidate and a valid email.



To use client-auth for web interface access , you only need to complete a few tasks. Here's a few screenshots ( information is sanitized for  my  account  details )

1: select new under the Client Certificates



2: define a user_friendly_name ( this helps you remember what it was for or for what email_address account if you manage numerous accounts  )




3: select 2k bit key strength


 


Review the certificate details and download this in a safe area and encrypt it


NOTE: remember the client.crt Alt.name is your email address used by the cacert account


 


When logging in you must use  certificate_login  after importing into your local certificate manager. I 'm using a macosx machine so it's keychain access.
 





And now you can modify and issues certificate against your domains that have been validate previously



The certs issuance is much longer than Let's Encrypt which is another free CA. The CAcert is great for Proof-Of-Concepts , demos, labs, development sites, for training  or just for testing 


https://cacert.org/
https://en.wikipedia.org/wiki/CAcert.org

Be advise that most browsers have issues using certificates issued by cacert.org so  YMMV on how trust worthy cacert.org  is a Certificate_Authority.






kfelix @ socpuppets.com

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

SSL attribute section and unreadable

Have you  ever crafted a CSR and set the attributes,  but found the attribute  where unreadable when using openssl or one of the many  CSR/CERT checkers?






 The problem could be the string_mask.




Here's the manpage for openssl req



Now let's look at how we can set the string mask in our ssl config file



Now with  the cli cmd openssl req -in <csrname> -noout -text  the  attribute strings are readable







kfelix @ socpuppets.com

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, December 1, 2016

TLS/SSL certificates alternatives

A problem exist in any modern browser  & mainly with the idiot  behind the  keyboard.

We are all humans! and trusting by nature !

Since most people don't understand SSL/TLS,  muchness what a x.509 certificate does,  they do stupid things that  that put them at risk do to the trusty nature.


  • How many times have we see a browser side error and click thru -it?
  • Do we even know what those errors mean?
  •  Do we even bother to investigate it ?
for 7 out of 10 I would say no to all of the above questions











Most individuals in a IT environment have no clue and then we expect the end-user  to understand  it all.





In the big CentralAuthority  aka CA  pyramid,  "  we put a lot of trust in  the CA , and Intermediates, and the server certificates ".

A client ( end-user ) that see  a HTTPS as  the URL protocol and assume they are 100% secured and protected but have little to no info to even determine if there's a MiTM or  even  if the site is really that site.

We see this everyday with  various phishing  attacks and rogue sites that are populated across  the internet.

The sovereign key concept should be taken more seriously and ridding site dependencies from a central Authority.

( you can read more about the proposal )

https://git.eff.org/?p=sovereign-keys.git;a=blob_plain;f=sovereign-key-design.txt;hb=master


The goal w/sovereignkeys is to  apply  truth  to  the certificate via timeline,  and new key concept append for the certificate validation.

Take my day job, they are running internal users thru a proxy and the end-users has no clue that a "proxy" and  the certificate is really not the "real site" , but again they see the   http lock icon and  think all is good and they are 100% safe.



With sovereign keys, every web HTTPS proxy would be broken . Since we can have hundreds of CAs any one could be trusted by the end-user ( the browser ) , any could  forge a certificate and the end-user would not be any wiser that the site is really not that site .







We need a means for validating the website  certificate and for just  that site.  With sovereign key we can really validate the site  we are connecting with ,  and break the dependency of just trusting the CA and the certificate presented by the website.

Just food for thought when your on a foreign-network and think your connecting to that site . Remember some one somewhere could be peeking.




Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Friday, November 25, 2016

dates with SelfSign certificate and openssl

I was playing around with self-signings  certificates on openssl   and notice a day  typo  in the signed certificate. My goal was to see how many days can you set a certificate for.



OpenSSL> version
OpenSSL 0.9.8zg 14 July 2015



( notice the date and the cert import failure in  F5 BIGIP LTM the appliance was probably say WTF  51 days in  OCT?????  )







Image result for laugh


2799 years !





















So finally I was able to have the certificate signed and successfully imported. Look at the dates now.





Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \