Saturday, September 9, 2017

Determining OSPF.interface mtu byte sizes via a packet capture

When using OSPF, the need can arise to validate the OSPF-interface-value amongst   OSPF neighbors.

If md5 authentication is not deploy the OPSF database descriptor will carry the  OSPF_interface_MTU value in the clear. A tool like  tshark/wireshark will easily display that value.


e.g



In a proper OSPF topology all interfaces attached to the LAN would use the same value. By dumping the  OSPF packets you can easily find the  Interface MTU value and ospf neighbors that are not configured correctly.






By using  a packet.capture you can easily  gather statistics without login into numerous routes or devices  for gathering ospf show  collections



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, September 1, 2017

securing mysql with SSL/TLS

With databases and application  servers, we find  that most org do NOT  deploy SSL/TLS encryption. This post will demo  how easy it's to  set a  mysql server up for   SSL/TLS. Most  DBAs I've  meet thinks;


  •  its hard to setup and configure
  •  are just plain lazy
  •  feels it's offer zero-security benefits
  •  or a combination of ALL thee above :)




You will need the following for the server;

CA-cert
Server-cert
Server-key

You will need the following for the client(s);

CA-cert
Client-cert
Cient-key


1st here's my simplified  my.cnf cfg  ( this is very basic lean down conf )


[mysqld] 
bind-address = *
ssl-ca=/etc/ssl/ca.pem
ssl-cert=/etc/ssl/server-cert.pem
ssl-key=/etc/ssl/server-key.pem


Now to check for SSL support you need to  show global variables and match on SSL. If your  successful upon a restart the  DISABLE will be ENABLE and SSL support will be included in the mysql server services








Now we can test for basic  access with the root account and by specifying  SSL;






To lock this down for just a  database user account, you will grant  ( them  )  permission and set  required SSL for that user(s).








And now compare a SSL and non_SSL  access 



If a user that's required  SSL tries without  SSL certificates ( he/she ) will  get a reject message similar to  the below;





Yes it's really that simple. 


In a real professional environment, you will craft unique client-certificates  & 1 per  users  and ensure that the user has secured and protected his  key via a passphrase. 

If you  want to revoke his access revoke the cert and  remove his access.


  For  the   mysql services ensure the mysql  user that runs the daemon can read the server-private-keyfile .... I seen this  issue being the #1 problem when setting up  mysql w/SSL-TLS. chown and chmod the permission  for the priv-key   and  just for the mysql-services account



Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \




Thursday, August 24, 2017

Get a caddy ( web server )

The needs typically arises sometime for a simple & lite-weight   http daemon. The caddy  webserver which is simple and very easily to manipulate  has  been available.

https://caddyserver.com

The cool thing about the caddy is; "  you can customize build it for your OSversion and defined  various plugins of interest  or required ".

Here's a macosx  build where I have selected 9 of the  available plugins. By hovering over each plugin you can get a summary  detail on what that plugin does.




















Here's how to check what plugins you have installed in a build binary.


macbook:caddy kfelix$ sudo ./caddy -plugins
Server types:
  net
  http

Caddyfile loaders:
  short
  flag
  default

Other plugins:
  http.basicauth
  http.bind
  http.browse
  http.datadog
  http.errors
  http.expires
  http.expvar
  http.ext
  http.fastcgi
  http.gzip
  http.header
  http.index
  http.internal
  http.ipfilter
  http.limits
  http.log
  http.markdown
  http.mime
  http.nobots
  http.pprof
  http.proxy
  http.proxyprotocol
  http.push
  http.realip
  http.reauth
  http.redir
  http.request_id
  http.rewrite
  http.root
  http.status
  http.templates
  http.timeouts
  http.webdav
  http.websocket
  net.host
  shutdown
  startup
  tls
  tls.storage.file

 A simple caddy conf file can be crafted for  defined various webserver details and upon launch you can use  cUrl to validate






The above gives a simple example as to  what ou can do from defining   certificate+key or even  custom X headers.

The access.log follows the  simple  Apache Style





If your ever in a crunch and need a simple  webserver, do not over look caddyserver

Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, August 18, 2017

FortiOS long vdom names

Long vdoms name is a feature support in the most current  FortiOS version. Previous you where limited to 11 characters in a vdom name.

Now the long vdom-name you can craft  extremely long names. Take these screen shots;






The negatives to long names; " if you ever downgrade to a older fortiOS version, this could cause problems.

Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Tuesday, August 15, 2017

howto validate that your fortigate AVprofile is working

When you have enabled AV ( AntiVirus ) scan enable on a fortigate, you should  test against any one of the EICAR  test files.

1st here's the default AV profile on a typical firewall.






When the  AVprofile has detected a  virus it will throw a similar  formatted log_message



You can test both HTTP and HTTPS when you have  ssl-inspection enabled.


 

Note, this is a sure way to  test that your ssl-inspection is also working  btw



If you have  NO ssl-inspection profile enable, the fortigate-firewall will let you  download the  EICAR  test.file over  a secure protocol like  HTTPs with no warning. Here's a source for  text and zip or double-zip files.

http://www.rexswain.com/eicar.html




e.g ( with no ssl-inspection  the EICAR  test file  was downloaded )





Security  best practice mandate you should have AV enabled and  ssl-inspection profile for protecting local lan users if end-point  protection has not been installed.






Here's how a firewall policy will look like from the  CLI  & that's enabled for  AV-profile and with SSL inspections.




A feedback page will  be displayed  to the end-user who hit's the policy and a simple link provided  if he/she want to  investigate what and why  the content was blocked in regards to AV.



( https test EICAR  file  source )

https://secure.eicar.org/eicar.com


If your using the fortigate as an explicit -proxy, please ensure you have AVprofiles in use and in  proxy-mode.


example



Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, August 11, 2017

conserve mode FortiGates

Within in the Fortigate models, you have a conserve mode. This is a simple method that FortiOS triggers in order to try to  protect  the systems.

Almost all security profiles are handle in shared memory. Any time this memory is exhausted or nearly exhausted the  unit will go into  conserver mode and deactivate certain scan profiles.

You can easy check if your  unit is in conserve mode by the following diagnostic command;

diagnostic hardware sysinfo shm | grep conser



You can also review logs , if this event happens it will be recorded as a "critical" event .

e.g





Okay to  avoid this, we need to understand the following;


  • Combinations of AV-profile  scanning with  proxy/flow mode can cause havoc conserve-mode
  •  excess traffic and utm-function can cause  kernel conserve mode
  • it best to be aware of running  multiple  scan mode flow or proxy
  • Limit what fwpolicies have  AV-profiles
  • Upgrade the unit if it's under-size  and if repetitive  conserve-mode events happens


So to ensure you don't enter conserver mode you need to reduce logging-to-memory.

Various fortigate-models  uses a certain  % of the shared-memory or physical-memory thresholds  to determine when it goes into  conserve-mode . The FTNT support-team  can provide you these values upon request.

It's best to optimized the firewall just for the UTM features that you  required and disable all other utm and profiles from the firewall-policies.






 
Ken Felix
 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

deleting the root vdom ..you can't do it!




Working with various IT/Security outfits over the past few years and  with numerous  Sec-Engineers  to Directors, a lot of them get hung up over the vdom name of  "root". I've even  had  numerous  request for removing the root vdom or renaming it.

Image result for rolleyes



 
In one of my last encounter , they actually  had me open a ticket with  FTNT  & who the engineer made a wild claim that  he think it could be deleted.

In fact this is NOT true! Or I have yet to be proven wrong.


Here's some screenshot of a  wasted of time with "attempting" to remove the vdom name "root", after deleting all policies, creating a a new vdom, deleting any bindings to  root-vdom ( interfaces, admin-accounts,   dhcp-server , fortianalyzer, fortimanager , central-management  etc......)









So the conclusion;


1: the root-vdom  can not be deleted

2: it's just a name-vdom use it as-is or do use it

3: trying to rename vdom-root or deleting it,  is amounting to  trying to rename or deleting the   windowOS  system32 directory or the  unix "/"  directory 


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \