Wednesday, February 22, 2017

Understanding HTTP redirect traces analysis

When dealing with http servers and SLB, it's common to have redirects, but you need to understand the differences.

Typically 301 and 302 are the most used redirect methods. 307 is another   redirection but not seems that often. These are also called "Server Side redirect" since they typically in the past where used on web-server daemons but in  reality they could be  servers, WAF or reverse-proxies.


Let's look at some redirects examples , but before we do that, " what are redirects"? These are   populate Location: headers that re-points the  web client to the  web content that he/she is looking for. The simple definition

A  location is passed to the User-Agent in the shape and fashion of

Location: http://kenfelix.com/blogger/

Or

Location: https://kenfelix.com/

This new Location header is just that, a header  that points you to the new location.

301 == permanent
302 == Found-A-new-Location
307 == temporary

NOTE: 302 are mistakenly called temporary  redirects , but per the http.definitions, they are not.


reference https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Here's my bank IBC, this is a very bad redirect flow. It just cause more additional work on the browser , and  additional delay for the 1st byte served or the content requested





Up next here's another example of a redirect flow. I highlighted cookies in this one . Two window servers where involved plus a load-balance

note: notice how Set-Cookies are not encrypted, this  leaks internal host information





One of the best unix tools available for following redirects is the  unix curl with the -L option.

L == Locations


Here's mail.google.com, notice the URL protocol changes  if you initially hit the 1st link via HTTP.





Each redirect  creates a new HTTP.request and adds to the dependency  and  delay factor.


Typical a domain redirect  are very popular;

e.g



And for SSL enabled  site a  http-2-https are commonly used




Jigsaw has a simple and effective  307 redirect and proper use ( notice temporary in the http.response code ?}

https://jigsaw.w3.org/HTTP/300/Overview.html



HTTP/1.1 307 Temporary Redirect  <-----

vrs

HTTP/1.1 302 Moved Temporarily    <-----




Here's how paypal redirects   302 then 301 (a big no no  imho )







reference  http://www.redirect-checker.org/index.php


Good practices are ;

1: keep the redirects as small as possible
2: use  307 redirects when possible & if the  target is Temporary and not Temporarily
3: avoid a redirect loop 
4: if you redirect from HTTP  2 HTTPS on a server, try to use HTTPS on that server
5: check redirects consistency and  remove any stale redirects on a regular basis
6: for web-developers, harvest your site URLs and run them thru a spider or URL optimizer that  minimizes duplications a short HTTP hops between redirects on a local website
7: remember   redirect types 301 are more favorable for SEO



These tips would help you in  creating a good HTTP experience for  the end-user


NOTE: PayPal is really cool if they see your a web-analyzer guy that uses curl , they give you  a X custom header for jobs recruiting in the  response






Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Tuesday, February 21, 2017

finding the max TPS for CLIENTSIDE SSL F5

Here's a sure way on a F5 LTM-VE image for finding the max  Ssl client_side connections that's allowed

1st monitor the  F5 performance stats

(tmos)# show sys performance  | grep SSL
SSL Transactions               Current  Average  Max(since 02/21/17 12:45:27)

SSL TPS                             25       35                            44


2nd  gather the license details


show sys licens


3rd now grep for TPS and TMM counts 

(tmos)# show sys license detail | grep -i perf_SSL_total
perf_SSL_total_TPS [500]


(tmos)# show sys tmm-info global | grep   TMM
Sys::TMM           
  TMM Count               2


The  total would be your  TPS count  X  TMM-qty



 
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Sunday, February 19, 2017

In a pinch how to find your FGT serial_number

If you have a  Fortigate and in a ACT-PAS cluster and you can't login, the  factory    installed certificate will have  the serial number in the CN



examples






1>

CN=FG3K2C3Z23803457




2>




This is also useful when your confused on what  FGT unit is the active from a management purpose.






 
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

GOTCHAS when using remote-admin logins and with "wildcards" admin users

When executing  FortiOS    backups and  revisions on the fortigate.


The  user that's listed in the backup or revision is listed as "wildcard", this alone give you no history on who the actual user was &  for that backup or revision entry.

see example #1 ( WebGUI revisions )




see example #2 ( webGUI revisions )




see example#3  ( download backup configuration file )



The same thing for  FortiOS5.4





You can always locate systems  event  files  if you need to audit or track who did the change and match it with the timestamp if the logger buffer has not been rolled or deleted.


exe log  filter  category 1

exe log display 



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



Thursday, February 16, 2017

private-key lifetime reccommendations

For SSL certificate, the MAX life-time   that's recommend by  NIST is for 3years

reference Nist SP 800 series or  the CA/browser committee

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ 

https://cabforum.org/


Yes, threes years is all that we get , and that does not cover all certificates types.

This is why no  CA will sign CSRs for more than 3 years { 1095 days }, so if you need a ssl certificate ,  that's certificate would need  a life expectancy of 1095 or less days.


Also you will never find a CA  who will not sign a sub-key longer than it's own key
( this should be obvious  )

You will find that some CA follow the 39month  max lifetime and most EV certificates are issued at a max of 1 or 2 years depending on their policies. And yes it's all about the money ;)

The CA and intermediates could have lifetimes of between 10-30 years in life-time.

 So if you want a certificate signed longer, you need your own private-CA .



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, February 10, 2017

A ssllab alternatives

If you ever  done any of  ssl validations or auditing , than you  have to have  used qualys ssllab for  ssl-server reporting.

https://www.ssllabs.com/ssltest/analyze.html

 A great alternative is offer via hitechbridge.    https://www.htbridge.com/ssl


PROs over ssllab


  • it's much faster from the start to finish 
  • provides a downloadable test results page
  • output is simpler to follow
  • root > intermediaties  chains is easier to validate
  • you can easily test not std http-ports ( https://mysite.mydomain.com:8001 for example )
  • conducts a  rash of compliance testing output for PCI/HIPAA/NIST
  • you have more test options web email domain
  • can test various http-server headers and validate cookies

Here's a few  screenshot of important  outputs in the download pdf  report for a typical site






various   compliance checks again





BestPractices suggestions




certificate chains details 







 option domain  checks results



  Headers checks



 validating cookies are encrypted



 This is like the easiest ca-chain format to follow






Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \




Tuesday, February 7, 2017

PANOS 8.0 is finally here

We  just got notice panos v8 is out. This great news I guess. So we have another  PANOS version available.








Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Thursday, February 2, 2017

networkminer on macosx

NetworkMiner is a simple and effective tool for the forensic and ssl engineer. It can give you insight on SSL traffic and what/who/where certificates are being used.

To run it on macosx, just grap the mono pkg and install it. Than from the  cli you run "mono networkMiner.exe after downloading the binary


NOTE: on a small macbookAir it can take some time to open and  if your running against a  large pcap.file the time to load is dependent on the size and number of entries in  the pcap.

NetworkMiner can now be used to grab pertain information from traffic flows.

e,g

  1. conversation details
  2. ssl-certificate-details to include protocol and handshake cer names
  3. client+server information
  4. credentials used 
  5. tcp-ports inused
  6. http headers can easily be filter for match
  7. reconstruct  file information
  8. inspect and sniff  open email communications

 Here's a few screenshots on  example how we can inspect traffic details. This is a great tool to use if you want to find session that are using a particular  SSL certificate by serial# or date.


Details and OS identifications




Inspecting for bluecoat proxy x-header



Finding Server header strings from a ADC



Determing web-auth methods support by a web-server
 


loading a pcap file can be time consuming on smaller  systems, but it's readily easy to replay  pcap files for traffic analysis



 Viewing the certificate  values




Display certificate serial numbers

Searching on User-Agent strings
 



finding a certificate in use via the expiration date






Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \