Tuesday, December 31, 2019

Forcepoint MagicQuadrant Can they get to a leader status? and what do they need to accomplish this ?

Here's a review of the Forcepoint NGFW for the magic quadrant Y2019.



Can they get the game rolling and become a leader against the other major giants? 

We all know that Palo Alto took the world by storm and seems to be very well adopted and liked in the NET-SEC community. Forcepoint wants to be like a PaloNET,  but they are far from it.

To become a leader, they need a wolve mentality. Nir Zuk & Ken Xie have that wolve mentality. These two great minded leaders/founders/creators in the information security arena, all having produce companies younger than Forcepoint ( stonesoft ) and made them into global leaders or powerhouses or basically a "rockstar".

With Forcepoint and the SMC and NGFW, you really love it ! or really hate it !

The product has a CHKPish like feel and interface and tries to replicate what CHKP does but they are way off the target. If you're a CHKP fw-admin you will see similarities from smart-dashboard, reporting, smart-logqry, smart-move, logExport, multi-domain, etc...

Sometimes I wonder if Forcepoint is the evil twin brother of CHKP when it comes to its own SMC &  NGFW. Or they are in ongoing "Spy vs Spy" battle












Features that are common names in network-security are MIA or even current features provided are sub-par. It's funny that they ( forcepoint ) owns a well-known proxy { Websense } and NGFW integration to it's own WCG with WCCP is lacking. Yes, transparent proxy integration is missing between two Forcepoint own products.

Here's another example, SMC v6.7 just came out in the 1st week of November. DLP is a newly-supported feature. Yes, I know DLP has been around for decades. Integration into Forcepoint  own icap-support servers has limitations

https://www.websense.com/content/support/library/ngfw/v67/relnote/ngfw_670_rn_smc_a_en-us.pdf

https://support.forcepoint.com/KBArticle?id=000017727

{Forcepoint DLP includes an ICAP server. However, this solution does not currently support X-Authenticated-User headers with the “Local” Auth-Scheme. For this reason, it is not possible to match users with the Forcepoint DLP policy when you use Forcepoint DLP with Forcepoint NGFW.}

So one product supports XAU and the other does not. You would think the Forcepoint Suite of items should be 100% compatible.
What can Forcepoint do to become a leader?

Based on my own personal observation, to become a wolve, you need to study the other wolves. Yes, Forcepoint needs to study the other major vendors, adopt and become a wolve like attitude.

One area they need better cohesion within the Forcepoint suite of products. They have every security offering from web, EDR, CASB, email,etc...but by far all of these solutions are autonomous & individualistic when viewed by the NGFW.

In closing, I look at Forcepoint  vs the "other" vendors the same way like that of "Coke and Pepsi".

Each thinks they are the best, but taking Coca-Cola, I never have seen a Pepsi delivery truck in most other countries outside of the Americas, but I can guarantee you will always see a big Red coke truck or billboard before you will see a Pepsi logo. Even tho the financials of  Pepsi has bigger revenue and shares. I'm pretty sure the world sees Coke as the leader and as a better product also.

Again, you either love or hate it. Btw, I drink Coke .













NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \









Monday, December 30, 2019

How to monitor the forcepoint policy changes with a API call

In this example, we will look at a policy within a Forcepoint SMC and make a API call out to look at last modification time.

1st we have to authenticate with our authenticationkey



curl -v -b cookie -H "Content-Type: application/json"  -d '{"authenticationkey":"5gxuXESVCAGYAPho587taXeC"}' http://127.0.0.1:8082/6.4/login
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8082 (#0)
> POST /6.4/login HTTP/1.1
> Host: 127.0.0.1:8082
> User-Agent: curl/7.47.0
> Accept: */*
> Cookie: JSESSIONID=5DA43E32F08E101BCC681C96CE79A0AD
> Content-Type: application/json
> Content-Length: 48
> 
* upload completely sent off: 48 out of 48 bytes
< HTTP/1.1 200 
* Replaced cookie JSESSIONID="D4CF72DA884CCD5A9F30202C6F484540" for domain 127.0.0.1, path /, expire 0
< Set-Cookie: JSESSIONID=D4CF72DA884CCD5A9F30202C6F484540; Path=/; HttpOnly
< Content-Type: application/json
< Content-Length: 0
< Date: Thu, 10 Oct 2019 08:45:59 GMT
< 
* Connection #0 to host 127.0.0.1 left intact



Now, to find the name policies, we can do a GET against /elements/fw_policy for our layer3-FW policy.


curl  -b  cookie http://127.0.0.1:8082/6.5
curl  -b  cookie http://127.0.0.1:8082/6.5/elements/fw_policy/

{"result":[{"href":"http://127.0.0.1:8082/6.5/elements/fw_policy/17","name":"demo-lab","type":"fw_policy"},

{"href":"http://127.0.0.1:8082/6.5/elements/fw_policy/19","name":"demo","type":"fw_policy"}]}ubuntu@ip-172-31-47-74:~$ elements/fw_policy/
{"result":[{"href":"http://127.0.0.1:8082/6.5/elements/fw_policy/17","name":"demo-lab","type":"fw_policy"},{"href":"http://127.0.0.1:8082/6.5/elements/fw_policy/19","name":"demo","type":"fw_policy"}]}ubuntu@ip-172-31-47-74:~$ 



if you have quite a few policies using a filter strings
e.g  /elements/fw_policy?filter=myname




Now you can call up that policy and look at the history



curl  -b  cookie http://127.0.0.1:8082/6.5/elements/fw_policy/19/history

{"creation_time":1570657861418,"creator":"http://127.0.0.1:8082/6.5/elements/admin_user/2","is_locked":true,"is_obsolete":false,"is_trashed":false,"last_modification_time":1570657861418,"modifier":"http://127.0.0.1:8082/6.5/elements/admin_user/2"}

policy modification does not mean policy installed time


So we can evaluate that the policy was last modified by user #2 and at 1570657861418. You can  call up user 2 to see the "reference username"




ubuntu@ip-172-31-47-74:~$ curl  -b  cookie http://127.0.0.1:8082/6.5/elements/admin_user/2

{"allow_sudo":false,"allowed_to_login_in_shared":true,"can_use_api":true,"console_superuser":false,"enabled":true,"engine_target":[],"key":2,"link":[{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2","rel":"self","type":"admin_user"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/history","rel":"history"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/change_password","rel":"change_password"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/generate_password","rel":"generate_password"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/change_engine_password","rel":"change_engine_password"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/enable_disable","rel":"enable_disable"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/unlock","rel":"unlock"}],"local_admin":false,"name":"kfelix","read_only":false,"superuser":true,"system":false}ubuntu@ip-172-31-47-74:~$ 


This allows you to record data and details from auditing and can confirm modification or if the policy is locked and possible by who










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \






Saturday, December 28, 2019

Fortiview filters for country destinations issues webUI

In version 6.x FortiOS the filters in the fortivew monitor do not work. In fact, you see the geo flag for the destination but if you apply the country as a destination filter it never works



In 6.2.x these seem to be operating correctly;






So it looks like FortiOS v6.2.x has a few good fixes and improvements.









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Thursday, December 19, 2019

Forcepoint NGFW now has ICAP support

Finally, the NGFW can communicate with ICAP in version 6.7.0. Here are a few interesting observations from Forcepoint.


Like the lack of "WCCP" and support to its own web-proxy ( Websesene ) , it looks like the NGFW can be used with the Forcepoing own DLP solution.











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Wednesday, December 18, 2019

SRX upgrades and alt-partitions

Within junos and with the SRX you can upgrade the SRX and boot into that partition. This blog will show you some simple commands to validate the active partition and the code installed.

In most case, the junos has two partitions that hold the base-software. Only one of these partitions is active at any given time ! 

slice { aka partition } da0s1a orda0s2a

The above shows a junos disk layout. When you upgrade a junos device you are installing the software in the inactive partition. If you call the "reboot" with the request system software, this is a toggle that turns the newly upgraded partition on so to speak.

You can start a shell from the cli and review the active partition or partition that's set bootable on a SRX.

e.g

# done from a cli access within junos cli

start shell
su - 
fdisk /dev/da0






Flag 80 == that slice is active on this bsd disk



Here's a screenshot of a recently upgraded SRX that was previously running D190 and now has been upgraded to D200




A quick and easy way to copy the installed junos version to the backup slice is to use "request system snapshot slice alternate" 


e.g 



and finally, we confirm with "show system media internal"


I hope these tips come in handy when you are doing maintenance on a juniper SRX.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Tuesday, December 10, 2019

The zone firewalls rules ( juniper paloalto )

A very thinking with security zones is that security admins believe all interfaces in a zone are allowed by a policy rule if that zone is called up in a src/dst.

A rule that has the proper src/dst-address and src/dst-zones for the traffic pairing, will allow only that traffic flow that is listed in the address.

So take a zone with 10 interfaces and is called "trust", All 10 interfaces and network(s) behind them will NOT be automatically allowed by a rule unless you wrote it poorly by using "all or any".

( here's an example of zone named:trust with 5 interfaces )



show security zones trust 

Security zone: trust
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 5
  Interfaces:
    ge-0/0/1.0
    ge-0/0/2.0
    ge-0/0/3.0
    ge-0/0/4.0
    ge-0/0/5.0


( networks 192.168.{1..5}.0/24 }

So a rule written with src-address match and ALL will cover all 5 networks. But that would be a very bad rule unless that is what you really wanted.


A proper rule would have the specific subnets or hosts listed.



set security policies from-zone trust to-zone untrust policy ALLOWDNS match source-address INSIDE_HOST01
set security policies from-zone trust to-zone untrust policy ALLOWDNS match destination-address any
set security policies from-zone trust to-zone untrust policy ALLOWDNS match application junos-dns-udp
set security policies from-zone trust to-zone untrust policy ALLOWDNS match application junos-dns-tcp

set security policies from-zone trust to-zone untrust policy ALLOWDNS then permit


vrs


set security policies from-zone trust to-zone untrust policy ALLOWDNS match source-address any
set security policies from-zone trust to-zone untrust policy ALLOWDNS match destination-address any
set security policies from-zone trust to-zone untrust policy ALLOWDNS match application junos-dns-udp
set security policies from-zone trust to-zone untrust policy ALLOWDNS match application junos-dns-tcp
set security policies from-zone trust to-zone untrust policy ALLOWDNS then permit

The proper rule authoring is a must if you want to be tight within the security policy. The use of "any" should be scrutinized very closely to ensure the proper security practices are being used.

This holds true regardless of the firewall model type or vendor.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \



Wednesday, December 4, 2019

Finding un-used junos SRX policies

In the SRX platform is ideal to audit commands to find policies that are not being used. Typically if you have a policy that is showing "zero" hits it's a clue that the policy is one of the following

  1: written wrong from src/dst or both 
  2: service port is incorrect ( wrong port(s)  #s )
  3: src/dst zone is wrong or does not match the traffic flow
  4: traffic is not being received by the policy forwarding engine
  5: a higher up policy is trumping the policy ( policy ordering and sequence  )
  6: the requirement no longer exists ( the project has fizz out or been eliminate )

The junos command "show security policies hit-count less-than 10" could be executed to find all policy that has low or no matches




As you can see a few policies have zero matches. In a SOC, you would investigate and take appropriate action to remediate or eliminate the policy if required.

My general rule ;   "  if you have a policy-set and a firewall with considerable uptime, and certain policies are showing zero hits, then they are not required or one of the earlier items listed is applicable " .











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Monday, December 2, 2019

Forcepoint elements creator script

In forcepoint you have the means to import elements into the SMC. You can import csv host objects from a text file. If you want to create elements and deliver these to use I have a script that does groups , hosts and network elements and creates the finally formatted  xml files.



[SOF]


#!/bin/bash
#
#  kfelix socpuppets.com
#  rev1.0
#  date oct15-2019
#
#  Script for CSV supplied customer data { e.g field1,field2,field3 }



#  Purpose of this script is to assist with building  a bulk list of  "hosts"  or "Networks" objects based on a customer provided "space" separated details in a text file

#
#  It should expedite any "Host or Network" elements, which can be easily imported into the SMC after zip compressing the xml datafile

# The hostfile must contains single line entries space separate hostname  and ipv4 address
# The networkfile must contains single-line entries csv separate network-name and network_number and netmask in dot.dot.dot.dot format or CIDR

# e.g    wwww1,1.1.1.1
#        wwww2,1.1.1.2
#        wwww3,1.1.1.3

# e.g    net10,10.0.0.0  8
#        net192.168.1.0,192.168.1.0,255.255.255.0
         ntwrk 10,10.0.0.0,8
# e.g    groupname


######### ensure names do not have any spaces  , try to use _ - enlew of spaces  in the names #############
#########  script does not check the validation of the network number and netmask ; nor the host ipv4 address format    ###########


#
#  start of menu selections
#
#

PS3='Please enter your choice: '
opt=("GenerateHosts" "GenerateNetworks" "GenerateGroups"  "Quit")
select opt in "${opt[@]}"
do
    case $opt in
        "GenerateHosts")
            echo "Building Host Entries using filename $1"
                  D=`date +'%s'`

                  TMP=GeneratedHostImport.$D.xml

                read -p "Press [Enter] key to start"


                echo "<?xml version='1.0' encoding='UTF-8'?>" >> $TMP


                awk 'BEGIN { print "<!DOCTYPE generic_import_export SYSTEM \x22generic_import_export_v5.10.dtd\x22>"}'  >> $TMP


                awk 'BEGIN { print  "<generic_import_export build=\x22"10714"\x22 update_package_version=\x22"1175"\x22>" }' >> $TMP

                #  add host entrys to  temp file
                #

                cat $1  | awk -F "\"*,\"*"  ' {  print "\<host name=\x22"$1"\x22> <mvia_address address=\x22"$2"\x22/>  \n</host>"}'  >> $TMP

                echo "</generic_import_export>" >> $TMP
                
                #
                 echo "job Completed, please see the resulted in xml filename  $TMP"

            exit
            ;;
        "GenerateNetworks")
            echo "Building Network Entries using filename $1"
                 D=`date +'%s'`

                  TMP=GeneratedNetworkImport.$D.xml

                read -p "Press [Enter] key to start"


                echo "<?xml version='1.0' encoding='UTF-8'?>" >> $TMP


                awk 'BEGIN { print "<!DOCTYPE generic_import_export SYSTEM \x22generic_import_export_v5.10.dtd\x22>"}'  >> $TMP


                awk 'BEGIN { print  "<generic_import_export build=\x22"10714"\x22 update_package_version=\x22"1175"\x22>" }' >> $TMP

                #  add host entrys to  temp file
                #

                cat $1  | awk -F "\"*,\"*"  ' {  print "\<network db_key=\x22"7900"\x22 ipv4_network=\x22"$2"/"$3"\x22 name=\x22"$1"\x22/>" }' >> $TMP

                echo "</generic_import_export>" >> $TMP

                #
                 echo "job Completed, please see the resulted in xml filename  $TMP"
                exit
            ;;
         "GenerateGroups")

              echo "Building Group Entries using filename $1"
                 D=`date +'%s'`

                  TMP=GeneratedGroupImport.$D.xml

                read -p "Press [Enter] key to start"


                echo "<?xml version='1.0' encoding='UTF-8'?>" >> $TMP


                awk 'BEGIN { print "<!DOCTYPE generic_import_export SYSTEM \x22generic_import_export_v5.10.dtd\x22>"}'  >> $TMP


                awk 'BEGIN { print  "<generic_import_export build=\x22"10714"\x22 update_package_version=\x22"1175"\x22>" }' >> $TMP

                #  add host entrys to  temp file
                #

                cat $1  | awk -F "\"*,\"*"  ' {  print "\<group  name=\x22"$1"\x22/>"}' >> $TMP

                echo "</generic_import_export>" >> $TMP

                #
                 echo "job Completed, please see the resulted in xml filename  $TMP"
                exit

            ;;
        "Quit")
            break
            ;;
        *) echo "invalid option $REPLY";;
    esac
done


[EOF]


A very simple means to build a export.xml file










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \