Very sad, I tried to installed fortitoken on my updated macosx machine and found the dmg file installer fails. It does prompt you with a warning
What's going on here? The software fob works great from the security store tho.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Wednesday, January 20, 2016
Tuesday, January 12, 2016
pfSense has competition from OpenSense
OpenSense is a direct fork from pfSense and encompass a few of the same features and much more.
https://opnsense.org/
Nobody should be surprise this fork has came out, and it 's nice to see the next level of opensource networking and hopefully a big following.
I will be checking ipv6 function over the next few weeks, and hope to report back with some positive things
https://opnsense.org/blog/
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
https://opnsense.org/
Nobody should be surprise this fork has came out, and it 's nice to see the next level of opensource networking and hopefully a big following.
I will be checking ipv6 function over the next few weeks, and hope to report back with some positive things
https://opnsense.org/blog/
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Should we be loosing faith in Fortinet
The latest news is really sad, and a big disappointment from Fortinet. A backdoor access has been noted and a simple python script has been published that shows howto exploit the access
Here's a snapshot from the FTNT blog
http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios
So if a security company can't get it right, that makes one wonder what else they are doing that we don't know about.
To mitigate this, we need to disable allowaccess for ssh or upgrade. If you must run ssh then use a non-Standard port or deploy a 2 tier access by deploying a sslvpn access 1st and then ssh allow on the ssl interface.
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Here's a snapshot from the FTNT blog
http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios
So if a security company can't get it right, that makes one wonder what else they are doing that we don't know about.
To mitigate this, we need to disable allowaccess for ssh or upgrade. If you must run ssh then use a non-Standard port or deploy a 2 tier access by deploying a sslvpn access 1st and then ssh allow on the ssl interface.
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
PCNSE backpack
One benefit of getting the Palo Alto PCNSE is the fact they give you a nice backpack.
The order status is simple and only need you certificate ID and you follow a few steps for shipping address.
I found this label in the bag that I thought was funny "CheckMate" ( cough ....Checkpoint )"
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
The order status is simple and only need you certificate ID and you follow a few steps for shipping address.
I found this label in the bag that I thought was funny "CheckMate" ( cough ....Checkpoint )"
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Friday, January 8, 2016
unsupport transceiver NXOS
In this post I will demo the "Time" generic twinax trasnceiver connection and under NXOS. These trasnceiver assemblies supports 1/10 GIGE and are much cheaper than cisco labeled.
These are passive and supports upto 5m of distance. Here's a few show command outputs;
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
These are passive and supports upto 5m of distance. Here's a few show command outputs;
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Thursday, January 7, 2016
max value fortiOS print tablesize
FortiOS has the ability to set limits per vdom, but it's also nice to know the maximum values that can be set globally or per-vdom.
The cli cmd print tablesize can provide detail information based on the FortiOS version and model.
A simple output like;
system.vdom: 0 0 10
The cli cmd print tablesize can provide detail information based on the FortiOS version and model.
A simple output like;
system.vdom: 0 0 10
The 1st colum is per instance 2nd column per vdom 3rd colum globally. So in the above example the system total vdom counts globally is set at 10. The 1st two column are not useful.
You can also use the kb @fortinet to find the maximum value metrics. When you exceed a max value, you will get a simple command failure.
e.g ( cli for snmp user a max value of 32 )
e.g ( cli for snmp user a max value of 32 )
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
FortiOS diag debug flow filters
Here's some very strange behavior with the diag debug flow. I was playing around look at incorrect network numbers and want to see if I could try some weird addr filters with the diag debug flow
Check this out;
You can't specify a loopback net127 but you can specify a improper ipv4 address and a broadcast address.
So how about ipv6? Will let's find out.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Check this out;
You can't specify a loopback net127 but you can specify a improper ipv4 address and a broadcast address.
So how about ipv6? Will let's find out.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Wednesday, January 6, 2016
a prime, on prime using openssl
Have you ever wanted a simple means to determine if a number is a prime number and not a composite?
openssl prime option allows you to validate if a number is a prime.
by using openssl in this example, we check prime numbers from the range of 100000 to 1000000
e.g #1
e.g #2
e.g #3
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
openssl prime option allows you to validate if a number is a prime.
by using openssl in this example, we check prime numbers from the range of 100000 to 1000000
e.g #1
e.g #2
e.g #3
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Monday, January 4, 2016
Using GNU TLS binary for debugging SSL/TLS
Have you ever wonder about SSl/TLS connections details and need a simple binary for this purpose? openssl is a great tool for various conversions and CSR/priv-KEY generation, but GNuTLS is the master as workshop tool
Here's a simple execution with no verbose;
How about if you ever wonder if the certificate is a wildcard or SANs certificate;
Here's nsa.com and nsa.gov look at which one deploys DH-key exchanges;
note: use the "-insecure" for non-valid certificates
How about inspecting the CA chain depth, the number are detailed along with the certificates in the chain starting from the end to top CA. Here SSl.com has a chain 4 links deep.
The -print-cert option provides details in the x509 format an DH info. Here's my virtual pfSense instance.
The GNuTLS cli binary is great if you work with server certificate and need to validate server SSL/TLS connections and profiles like when work with SLB ( A10, F5, Kemp,ServerIron, LVS ) or webservers ( MS, Apache2, Ngnix )
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Here's a simple execution with no verbose;
How about if you ever wonder if the certificate is a wildcard or SANs certificate;
Here's nsa.com and nsa.gov look at which one deploys DH-key exchanges;
note: use the "-insecure" for non-valid certificates
How about inspecting the CA chain depth, the number are detailed along with the certificates in the chain starting from the end to top CA. Here SSl.com has a chain 4 links deep.
The -print-cert option provides details in the x509 format an DH info. Here's my virtual pfSense instance.
The GNuTLS cli binary is great if you work with server certificate and need to validate server SSL/TLS connections and profiles like when work with SLB ( A10, F5, Kemp,ServerIron, LVS ) or webservers ( MS, Apache2, Ngnix )
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Sunday, January 3, 2016
Palo Alto universal rule-type
What 's a universal rule type? We all understand intrazone or interzone policies but universal is really a combination type.
Examples
intrazone rule
SRC_ZONE=trust1
DST_ZONE=trust1
traffic src/dst zone is the same zone
interzone rule
SRC_ZONE=trust1
DST_ZONE=untrust1
traffic src and dst zones are two unique zones
But with the universal rules we can now define the following zone flows
universal rule
SRC_ZONE=trust1
DST_ZONE=untrust1
SRC_ZONE=untrust1
DST_ZONE=trust1
or
SRC_ZONE=trust1
DST_ZONE=trust1
SRC_ZONE=untrust1
DST_ZONE=untrust1
It simplify rules to catch both intra and interzone traffic
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Examples
intrazone rule
SRC_ZONE=trust1
DST_ZONE=trust1
traffic src/dst zone is the same zone
interzone rule
SRC_ZONE=trust1
DST_ZONE=untrust1
traffic src and dst zones are two unique zones
But with the universal rules we can now define the following zone flows
universal rule
SRC_ZONE=trust1
DST_ZONE=untrust1
SRC_ZONE=untrust1
DST_ZONE=trust1
or
SRC_ZONE=trust1
DST_ZONE=trust1
SRC_ZONE=untrust1
DST_ZONE=untrust1
It simplify rules to catch both intra and interzone traffic
Yes, it's that easy!
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Saturday, January 2, 2016
howto validate a user certfiicate that's signed from a CA root or intermediate in a chain
Have you ever had a user certificate for a vpn ( ssl/ipsec/openvpn ) and wondered if the user certificate is chained to the the corresponding signing cert?
Here's a quick dirty down method for verifying certificate chaining & by using openssl against a self signed user-certificates.
Take these certificates;
As you can see, they are okay'd against the CA certificate myopenvpn.crt but all have expired
Now here's 3 users certificates named user1 2 3 ;
btw: all of these 3 of these users have a different size key as indicated here. The keysize has no bearing on verification.
( see below )
Here's a few certificates not in the trust chain & that fails (certificates myuser1 and 2 )
So in my private CAinternal these keys checked out against the CAroot certificate named "MYCAPFSENSE.crt" This is a good way to validate certificate in a certificate in a trust-chain.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Here's a quick dirty down method for verifying certificate chaining & by using openssl against a self signed user-certificates.
Take these certificates;
As you can see, they are okay'd against the CA certificate myopenvpn.crt but all have expired
Now here's 3 users certificates named user1 2 3 ;
btw: all of these 3 of these users have a different size key as indicated here. The keysize has no bearing on verification.
( see below )
Here's a few certificates not in the trust chain & that fails (certificates myuser1 and 2 )
So in my private CAinternal these keys checked out against the CAroot certificate named "MYCAPFSENSE.crt" This is a good way to validate certificate in a certificate in a trust-chain.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Friday, January 1, 2016
Fun with fortiOS routes and /32
FortiOS has has ability to use a /32 on a defined LAN interface. In reality you will not gain anything by doing this. I want to show you a few issues with /32 on a interface & the issues that will come up.
Here's my system interface configuration;
note: you notice the /32 mask
Here's the route table;
No route exist. The only way to see this route is vi the get router info kernel output
One other issue, if you try to use it in a static route entry, all routes will be flagged inactive.
btw: that interface is pingable from the execute ping standpoint
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Here's my system interface configuration;
note: you notice the /32 mask
Here's the route table;
No route exist. The only way to see this route is vi the get router info kernel output
One other issue, if you try to use it in a static route entry, all routes will be flagged inactive.
btw: that interface is pingable from the execute ping standpoint
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \