Thursday, March 29, 2018

FortiClient Upgrade MACOSX

The forticlient was upgraded on my macbook.





So far nothing to  report  about.






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Fortinet ( FTNT ) has release v5.6.0 FortiOS

This should bring us some new  features and  more problems. Today 03/29/2018 is a new day for FortiOS and Fortinet  (FTNT) and all eyes are looking at them.




Looking thru the release-notes, alot of earlier models are dropped from the supported list. This will force  customer who has been holding out , to refresh firewall-appliances and retire older models. So pretty much they will have to upgrade in order to use  v.6.0.

Also tlsv1.0 seems to be  dropped as a support feature. Again this is minor since most of anything nowadays supports  tlsv1.1 or better.

I have a FWF50E appliance on order for my home that's been backlogged now for  like 2+ weeks, so assume as it arrives,  I will update that model and post any new issues.

For now we can only wait for  v6.0 and the future sub-builds that will come out. FTNT  has not had a good track records for  new  builds. A lot of issues  has slipped  thru the crack or left a bad taste in your mouth from past new releases from Fortinet ( FTNT )



Ken Felix







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, March 28, 2018

You got to secure that data

Working in the  security sector, personal information needs to be secured. Personal details from  DOB/DOD/SSN/ADDRESS/ACCOUNTS should be identified and secure at rest and in transport or  imposed restricted access for that actually need the data.


Here a examples of  sensitive data found on a windowshare with little to no  restriction in access;



This information in the wrong hands , could be harvest and sold  or use for ill gains.




 
Ken FelixNSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, March 21, 2018

MOAS BGP ASN conflicts

IPv4/IPv6  prefixes  can originated  via 1 or 2 or more BGP-ASN. These are called MOAS ( multi-origin AS )

Digital Ocean is a big culprit of this. They have prefixes that can originate from  multi-ASes and even different  GEO ip-regions.



So when writing BGP route-policies , please  conduct BGP originate lookups  and determine what AS# can  originate the prefix. Hurricane Electric does this level of analysis on each BGP prefixes that's records on it's website.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Ken Felix

Tuesday, March 20, 2018

Fortigate v5.6.x issues with

The 5.6.x fortiOS version seems to have a host of various issues. In this case we found out traffic-log is not logging  .



It was also found that  local-in-policy traffic is record


Also  check out this  cli awkwardness  ( both enabled and disabled  are  set ) ?





Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Ken Felix


Monday, March 19, 2018

SSL certificate issuer mistake with private-keys

I saw this posted  that a certificate issuer mailed private-keys for over 20K certificate.



I have no comments , but  a lot of  organizations have poor  security practice when delivering  private-keys.


Unless the private-key where secured via  AESencryption and a strong passphrase, than they did a very wrong  action with sending private-keys via EMAIL.







Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

 

Monday, March 12, 2018

forcepoint vpn profile Ikev1/2

The forcepoint NGFW  appliances supports both ikev1 and ikev2 within it's  vpn-profile. The vpn profiles also  support blowfish and  AES128/256 , but not AES192.





So automatic  selection is allowed and you can use the log browser with a filter for VPN to see what was used for phase1 after  debug diagnostic for ipsec


note  barracuda-firewalls are the only other  firewall that I know of  that supports blowfish from a commercial vendor.

Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, March 7, 2018

FortiOS log brief explained

The FortiGate  { FTNT } security firewall offers a brief log format that available. This reduces certain fields in the log output.


The command to  enable this function is highlighted below.




fortinet  has a posted KB on what fields are deleted within the  brief-log-format.







You can inspect the log data output. Here's a tcpdump  output of brief & normal. The brief  mode will contain less payment and draw less amount of  bandwidth in heavy  log/per-sec environments.





Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, March 5, 2018

F5 LTM SSL client-ssl for PCI compliances

In order to be  PCI-DSS  compliance by June 30 2018, you need to  have disable  TLS v1.0 and any older SSL protocols ( !!which you should have already done btw!! ).

To do this  in a F5-LTM, it's quite simple. Just set the  disable  options for no tls1 and no ssl2 and no ssl3. You can also   trim down the cipher suite that you will accept.




You can use  SSLLAB or  HTBrigde to double  check that the ltm virtual-server does not  allow  those protocols.


Alternative you can monitor the  connections using sslscan or openssl or even  curl.

e.g







You can use  a online ASV  service also for PCI compliance checks and to ensure no glaring holes are left in your PCI compliance.


https://www.serverscan.com/PCI-Compliance-Scanning-Solutions-for-Your-Business

or comodo Hackerguardian

https://www.hackerguardian.com


( e.g comodo )








Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

F5 APM Watch Out for lack of ipv6-pool


When configuring a f5-apm for ssslvn, if you  define a ipv4+ipv6 access and have  have no ipv6 lease-pool configured, the client will fail the network_access  & be automatically  kicked out.


The event logs will display a error similar to below. Take note of the error before the session is terminated.





So the quick take away, do not define ipv6-access & without  applying a ipv6 pool.


Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \