Thursday, May 31, 2018

FortiClient IPSEC beaware of keyid

Over the last 3 weeks,  I have  had about 4 requests in trying to  help others with  using the fortiClient as a  ipsec-client  &  for accessing nonFortigate appliance. I was successful in  3 out of 4 devices.


One thing that was over looked by the other administrators, the  IPSEC-GW needs the proper keyid value and not FQDN or username during IKEv1 setup. You can have all of the correct  auth/encryption proposals  defined,  and the proper localid ( aka  group_name ) , but if the responder is expecting   a FQDN, the  fortiClient  will not work in most cases.


This two screen shows will show the fortiClient  and the idtype value of keyid vrs FQDN capture from a tcpdump



So if you have a ipsec-gateway set the  group idtype to  be keyid  if you want to  use the fortiClient.


On a Fortigate appliance they typically don't care and use a type of "any" unless you hard code it.

 example.


NOTE: these values are sent in the clear &  when  IKEv1 is  being used along with aggressive-mode,  this is why  ikescan attacks and weak PreShareKeys are  quick to be brute-force. So if you use  IKEv1 , try to    set very long pre-share-keys and if your using  XAUTH for dynamic-remote users, very long  password or even  better a hybrid of  PSK+XAUTH+MFA

http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide

http://socpuppet.blogspot.com/2015/10/the-forticlient-and-cisco-vpn-ipsec.html







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 

Wednesday, May 30, 2018

NCP entry vpn macosx and DHCP-ipsec

In this blog, I will show how  basic fortigate configuration and with  DHCP was enabled for FortiOSv6.0


{ here's the cfg, ignore the ipv6   for now}

config system interface
    edit "DYNAMIC"
        set vdom "root"
        set type tunnel
        set snmp-index 8
        set interface "wan1"
    next
end
config system dhcp server
    edit 3
        set domain "socpuppets.com"
        set wins-server1 192.168.1.201
        set wins-server2 192.168.1.202
        set default-gateway 10.11.1.1
        set netmask 255.255.255.0
        set interface "DYNAMIC"
        set timezone-option specify
        set timezone 24
        set server-type ipsec
        set dns-server1 8.8.8.8
        set dns-server2 8.8.4.4
        set dns-server3 8.8.6.6
    next
end
config system dhcp6 server
    edit 1
        set subnet 2001:db8:99:100::/64
        set interface "DYNAMIC"
    next
end

config firewall address
    edit "DYNAMIC_range"
        set uuid a7a40fbc-6381-51e8-4997-9d6734e501f7
        set type iprange
        set comment "VPN: DYNAMIC (Created by VPN wizard)"
        set start-ip 10.11.1.1
        set end-ip 10.11.1.100
    next
end
config firewall addrgrp
    edit "DYNAMIC_split"
        set uuid a68a98d0-6381-51e8-ec77-cae52f49aee9
        set member "NET_192_168_1" "NET_192_168_2"
        set comment "VPN NETWORKS TO ALLOW"
    next
end
config vpn ipsec phase1-interface
    edit "DYNAMIC"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set proposal aes128-sha1 aes128-md5 aes128-sha256
        set localid "brooklyn.socpuppets.com"
        set dpd on-idle
        set comments "VPN: DYNAMIC (Created by VPN wizard)"
        set dhgrp 5
        set wizard-type dialup-cisco
        set xauthtype auto
        set authusrgrp "Guest-group"
        set idle-timeout enable
        set psksecret   d!onthackme12345!
        set dpd-retrycount 10
        set dpd-retryinterval 120
    next
end
config vpn ipsec phase2-interface
    edit "DYNAMIC"
        set phase1name "DYNAMIC"
        set proposal aes256-sha256 aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "PHASE2-IPSEC-PROFILE"
    next
    edit "DYNAMIC_ipv6"
        set phase1name "DYNAMIC"
        set proposal aes256-sha256 aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set src-addr-type name6
        set dst-addr-type name6
        set keylifeseconds 3600
        set src-name6 "IPV6"
        set dst-name6 "all"
    next
end
config firewall policy
    edit 2
        set name "DYNAMIC_remote"
        set uuid a7e11da8-6381-51e8-0bad-bbae1f5ebd7c
        set srcintf "DYNAMIC"
        set dstintf "internal"
        set srcaddr "DYNAMIC_range"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "ALLOW TRAFFIC TO INTERNAL NETWORK"
        set nat enable
    next
end
config firewall policy6
    edit 1
        set uuid caf67dac-6457-51e8-0ad7-1f663adda99a
        set srcintf "DYNAMIC"
        set dstintf "internal"
        set srcaddr "IPV6"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end



The NCP client  that's running on this MACOSX machine  version 10.10.5 with NCP client  3.0.0 build 38902

Now in my  example, the  DHCP-server is locally but we could have used a  dhcp-relay also


Once the client has pass phase1/2 the firewall provide the DHCP assigned address


 









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 



Friday, May 25, 2018

proxy redirection Juniper

For whatever  reason junOS has never support WCCP in a SRX. Why Juniper hates or refuse to embrace WCCP might be the love and hate relationship between CSCO


Okay with that out of the way, I work for a major security  vendor and who has websense web-gateways. I will demo how you can redirect traffic for websense using the  utm-policy in a juniper. keep in mind my  websense target is down, so I can't full show the final trafficflow


To run  redistribute clients to a WSG you will  a few items

1st define the  target utm-filter-web  values. You will need the host:port  and the agreed upon timeout


1.1.1.1:8080 would be my  WEBSENSE

Now, we will call a  firewall policy and us the  UTM webfilter within the application-services



And finally we monitor at the  WSG & SRX  for traffic an utm-statistics






TIP s check the following  for diagnostics

  •  show security  utm web-filte status
  • apply a system syslog file  setting and match for WEBFILTER and any


If you are not getting proper filter and see FALLBACK , that's a good possibility that the  WSG is down.











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \



AV scanner online

I use Sopho on my local macOS machines , and the fortinet Fortigate appliance and FortiCloud v2.0 for realtime AVscanning. This combination has been great.


CalmAV is another solution that just as effective for AV detection but in today's post, we will discuss  VirusTotal as an manual and alternative solution.
http://socpuppet.blogspot.com/2014/07/macosx-desktop-security.html









The virustotal   has  the means for a simple AV scanning and it's free service & now own by Google. It only  requires you to upload the file or run the hash  and compare.

https://www.virustotal.com/
https://en.wikipedia.org/wiki/VirusTotal


They have both daily  and size limits,  but they are reasonable. I will demo a file upload and  the list of AV scanner that scanned my file for virus detection using  the EICAR testfile which I crafted locally in a text  format.












Scan results depends on the following 1> file-size  ,  2> how busy the site  and 3> how fast you can upload a file.







NOTE: I had to disable my local AV client (  Sopho ) and my Fortigate-Firewall  from AV scanning  for this demo to work in this blog . These two  AV protections are a great combo.


The general population thinks that  you need a super duper  & high $$$$$ analysis service in order to  scan files. That's not  exactly true.




 Keep in mind , that any thing free  is just that, " Free". So don't try to compare virustotal to forticloud or wildfire analysis engine both of which  I have over  combined 7+ years of  experience with. VirusTotal will do a  decent job for the most part and if you want to analyze a file of many different file types.


 I will demo my  FortiCloud Setup &  in my next posting . This ( FortiCloud l )  is a solution for  a simple , affordable  sandbox'ing,  and with HTTP services or any other  services that you  use for downloads or files-sharing. It's easy as 1-2-3 to setup and only requires a Fortigate Firewall.

BTW ( I'm a big pfSense and OPNsense user  for the opensource networking and firewall community )


The openSource "pfSense Firewall"  also has  decent  AV pkg  FWIW. So  again,  "   !!!!  no excuses exists for  being infected via malware !!!! "

Realtime scanning is a must and along with realtime reporting.

http://socpuppet.blogspot.com/2013/02/pfsense-hvap-anti-virus-for-http.html
https://opnsense.org/









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

Sunday, May 20, 2018

Runnng caddyserver and quic



quic is  very good for speedy websites. It's actually quick !

 https://en.wikipedia.org/wiki/QUIC

The caddyserver supports the quic protocol and you  can play around with  quic. It's great for demo and testing and practical free in student/developer environments.


Here, I built a caddyserver and enabled the quic protocol


e.g ./caddy -config ./Caddyfile -quic 

My caddyfile contains;



By using Google Chrome we can monitor the internals network status and  by clicking on any active quic session we can pull details  on that connections



DTLS traffic for my mock website  https://www.1plus1eq2.com ;
 NOTE: notice udp-protocol










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \






Thursday, May 17, 2018

JunOS upgrades

In the JunOS land we have some new features in JunOS that will be tackle here shortly. I had to  get some gear up on the latest versions in my current  family   15.1x49.130



Stay tune, junOS is rockin for Y2018 more good things could be coming out of the juniper camp.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Forcepoint NGFW tcp.mss clamping be aware

Testing some  tcp-mss adjustments in the Forcepoint NGFW, I found a strange and awkward behavior. If you set the tcp.mss enforce to a range that outside of the  physical MTU interface on the NGFW , the firewall will drop these tcp packets and will not provide any log_browser output. Here's any example of a    byte range 1461-1461 for a 1500 byte ethernet  LAN segment



Juniper SRX and Fortigate will ignore any  value outside of the range of the MTU. One cool point on the  Force NGFW, it will honor any tcp.mss value even to 1byte. Other vendors will disregards settings that load. FortiOS default to  48 bytes regards of what value  you  set for tcp-sender that's fall below 48 bytes. I believe this is due to the internet   RFC has a minimum  size value for TCP

1P+TCP.HDR+PAYLOAD







So if you  set tcp mss values out of the range for the ethernet segment for the firewall be aware the Forcepoint NGFW can drop these packets & with no warning.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \





FortiOs version 6.0 admin-cert keysize

The  admin-certificate for the webAdmin interface does not  seems to like 8k bit keysizes. I crafted a widlcard  AltName certificate and loaded with in the fortigate and select the cert and it spit out complaints in all of the browsers with SSL protocol can not be negotiated.



{ NOTE: the webgui certificate details will not show the or list the keysize, use openssl, gnutls-cli or openssl }




Now here's a 4096 bit keysize being deployed in a FortiGate version 6.0 and it has no issues. So 2/4k bit keysizes seems to be the only support certificate sizes at this time.






Thinking  it  was maybe due to it being a SANs certificate, I craft a nonSAN and had the same issues so 8k bit size is a nogo for the admin certificates.













 I will  test the same certificate for SSLVPN later in the month.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 







Tuesday, May 15, 2018

RBL tracker services

The RBL tracker is a system used by major email  senders that can report on  blacklisting of any of your  public address.

They offer  bulk discounts but you need high amount of address to see any benefits. They also allow a API post callback so if you want  alerts via  api post.

Here's a few  screenshots of the service with the  cost-calculators using an extreme  1hour vrs 48 hour check intervals















NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \