Wednesday, April 25, 2018

SSL tools as an alternate to sslab

SSL-tools is a simple means for ID'ing  SSL websites for supported  TLS version and Certificate issues.

ssl-tools.net 

Here's a simple summary of issues found on a scan of a HTTPS website





Various information can be used for  SSL/TLS diagnostics. Here's some more information & screenshots.

 




Json  Output is also supported.
 















































NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \












Tuesday, April 24, 2018

Using FortiOS external resource list

FortiOS has the means now  to pull in  a list of  URL or IPs via a an external  webserver. The configuration is quite simple  and can be used to in security_profiles for DNS or web-Filterings

Define a list with an single address or URL per line

upload the list to your webserver

Configure the full URL and the update internal FortiOS will use











Monitor the HTTP access.log for  GET against the  source. In  this case 192.168.2.1 is our FortiOS appliance




Now you have a means to   quickly apply updates via an external source.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

A look at Forcepoint NGFW log forward types

The Forcepoint NGFW  has the means to forward  logs to syslog-service using  a host of  various means. The logServer properties > log forward  is how one would go about enabling the forwarding of logs

 You  can a filter and define a host of value like  src/dst address of  traffic type that you want to forward. This is great for  Security  outfits that wants certain traffic types for specific service and not all traffic.




You have a host of data outputs CEF CSV XML etc.. Here's XML and  CSV



I will post more about this NGFW  vendor in the near future and will provide a very simple list of differences between the Fortigate and Forcepoint NGFW




 





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Thursday, April 19, 2018

A look at the new FortiOS v6.0

In this blog we will look at the FortiOS  v6.0



1st up  static web-filter. This list is still easy to craft and to apply in a  HTTP  fwpolicy. Typically you will define  URL filters ( static ) or use the categories  an against  a ANY dst-addr. 


If you want to  block HTTPS, you will need to  enable a SSL inspection profile


Here snippet of the categories

note: take note of the movie-theater  like ratings

The firewall.policy lookup is cool for searching  fw.policies

NOTE:  I seen it in the beta release,  and very glad it made it into the final build









Policy matches are highlighted in this off  artdeco-pinkish tone ;






The fortigate URL block message is still about the same. 

My images did not load btw for firefox & safari. Vivaldi loaded just  ( investigate the url.fortinet.net  hyperlink in the standard block page )






Here's  a Fw.policy modified for example.com  HTTP/HTTPS




Firewall policy statistics are properly displayed


Custom ssh ins profiles are quick and simple to deploy.






So far  My  FortiOS v6.0 seems to be okay









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


x509 certificate oids

In this blog we will look at common  oid for  certificates. These are defined and well known. 1st  these are defined under x509 v3 extension fields. The ISO ( International Standards Organization )  has set oid that are defined.

These are  a few common oids (  see  highlight arrows )





To find the certificate type and oid, most browsers let's you expand  the certificate details. Here's our friends at the NSA.gov



The 1.3.6.1.5.5.7  falls under PKIX


OID value: 1.3.6.1.5.5.7
OID description:
Top of the PKIX OID tree


And the next .3 is for    "extended key purpose"


Subsidiary references (single level)

 http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html


NOTE: the listing is not completed and numerous other  oid exist for  extended key usage








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



Monday, April 16, 2018

Verizon UM290 FortiOS v6.0

Here's a blog outlining  a simple setup using a 4G  Verizon  external modem with a FW50E and with  FortiOS v6.0


1st it  makes since to  check the modem and usb port using the fnsysctl cmd and the diag cmd to send AT cmds

   








Next, the basic modem configurations;





The interface for the  modem will be  name "wwan" and a default is applied once connected and the device is enable

( aka wwan interface )

config system lte-modem
    set status enable
    set extra-init ''
    set authtype none
    set apn ''
    set modem-port 255
end






The log file will display a  message similar to the following



last make sure you have a firewall-policy, use  whatismyaddress to validate











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

How to validate a client is sending the SNI in TLS

Almost all  modern browsers uses TLS extensions and the most common one is known as Server Name Indication

https://en.wikipedia.org/wiki/Server_Name_Indication


You can use the SNI field before any  TLS decryption to determine what website the client is selecting. In this example, I'm using example.com



Various  inspections methods are available to filter on  just the  SNI  information and does not  need full TLS/SSL decryption in order to block HTTPS traffic for various sites. in fact you can  select various website to   decrypted based on HTTPS SNI  information.



So if a webclient turns off SNI, you will either need to do the following

1: place a strict deny when no SNI is present  at the client.hello

or 

2:  perform MiTM decryption to witness the http.host header and take action when matched


To   check if your browser does NOT  use SNI, launch a session to https://www.mnot.net and if you get the   "upgrade to a modern" browser than that means you webclient does not support SNI.


e.g ( using curl with -k and without  )



here's a wireshark snippet of SNI and none-SNI



Ken






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \