Saturday, September 9, 2017

Determining OSPF.interface mtu byte sizes via a packet capture

When using OSPF, the need can arise to validate the OSPF-interface-value amongst   OSPF neighbors.

If md5 authentication is not deploy the OPSF database descriptor will carry the  OSPF_interface_MTU value in the clear. A tool like  tshark/wireshark will easily display that value.


e.g



In a proper OSPF topology all interfaces attached to the LAN would use the same value. By dumping the  OSPF packets you can easily find the  Interface MTU value and ospf neighbors that are not configured correctly.






By using  a packet.capture you can easily  gather statistics without login into numerous routes or devices  for gathering ospf show  collections



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, September 1, 2017

securing mysql with SSL/TLS

With databases and application  servers, we find  that most org do NOT  deploy SSL/TLS encryption. This post will demo  how easy it's to  set a  mysql server up for   SSL/TLS. Most  DBAs I've  meet thinks;


  •  its hard to setup and configure
  •  are just plain lazy
  •  feels it's offer zero-security benefits
  •  or a combination of ALL thee above :)




You will need the following for the server;

CA-cert
Server-cert
Server-key

You will need the following for the client(s);

CA-cert
Client-cert
Cient-key


1st here's my simplified  my.cnf cfg  ( this is very basic lean down conf )


[mysqld] 
bind-address = *
ssl-ca=/etc/ssl/ca.pem
ssl-cert=/etc/ssl/server-cert.pem
ssl-key=/etc/ssl/server-key.pem


Now to check for SSL support you need to  show global variables and match on SSL. If your  successful upon a restart the  DISABLE will be ENABLE and SSL support will be included in the mysql server services








Now we can test for basic  access with the root account and by specifying  SSL;






To lock this down for just a  database user account, you will grant  ( them  )  permission and set  required SSL for that user(s).








And now compare a SSL and non_SSL  access 



If a user that's required  SSL tries without  SSL certificates ( he/she ) will  get a reject message similar to  the below;





Yes it's really that simple. 


In a real professional environment, you will craft unique client-certificates  & 1 per  users  and ensure that the user has secured and protected his  key via a passphrase. 

If you  want to revoke his access revoke the cert and  remove his access.


  For  the   mysql services ensure the mysql  user that runs the daemon can read the server-private-keyfile .... I seen this  issue being the #1 problem when setting up  mysql w/SSL-TLS. chown and chmod the permission  for the priv-key   and  just for the mysql-services account



Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \




Thursday, August 24, 2017

Get a caddy ( web server )

The needs typically arises sometime for a simple & lite-weight   http daemon. The caddy  webserver which is simple and very easily to manipulate  has  been available.

https://caddyserver.com

The cool thing about the caddy is; "  you can customize build it for your OSversion and defined  various plugins of interest  or required ".

Here's a macosx  build where I have selected 9 of the  available plugins. By hovering over each plugin you can get a summary  detail on what that plugin does.




















Here's how to check what plugins you have installed in a build binary.


macbook:caddy kfelix$ sudo ./caddy -plugins
Server types:
  net
  http

Caddyfile loaders:
  short
  flag
  default

Other plugins:
  http.basicauth
  http.bind
  http.browse
  http.datadog
  http.errors
  http.expires
  http.expvar
  http.ext
  http.fastcgi
  http.gzip
  http.header
  http.index
  http.internal
  http.ipfilter
  http.limits
  http.log
  http.markdown
  http.mime
  http.nobots
  http.pprof
  http.proxy
  http.proxyprotocol
  http.push
  http.realip
  http.reauth
  http.redir
  http.request_id
  http.rewrite
  http.root
  http.status
  http.templates
  http.timeouts
  http.webdav
  http.websocket
  net.host
  shutdown
  startup
  tls
  tls.storage.file

 A simple caddy conf file can be crafted for  defined various webserver details and upon launch you can use  cUrl to validate






The above gives a simple example as to  what ou can do from defining   certificate+key or even  custom X headers.

The access.log follows the  simple  Apache Style





If your ever in a crunch and need a simple  webserver, do not over look caddyserver

Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, August 18, 2017

FortiOS long vdom names

Long vdoms name is a feature support in the most current  FortiOS version. Previous you where limited to 11 characters in a vdom name.

Now the long vdom-name you can craft  extremely long names. Take these screen shots;






The negatives to long names; " if you ever downgrade to a older fortiOS version, this could cause problems.

Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Tuesday, August 15, 2017

howto validate that your fortigate AVprofile is working

When you have enabled AV ( AntiVirus ) scan enable on a fortigate, you should  test against any one of the EICAR  test files.

1st here's the default AV profile on a typical firewall.






When the  AVprofile has detected a  virus it will throw a similar  formatted log_message



You can test both HTTP and HTTPS when you have  ssl-inspection enabled.


 

Note, this is a sure way to  test that your ssl-inspection is also working  btw



If you have  NO ssl-inspection profile enable, the fortigate-firewall will let you  download the  EICAR  test.file over  a secure protocol like  HTTPs with no warning. Here's a source for  text and zip or double-zip files.

http://www.rexswain.com/eicar.html




e.g ( with no ssl-inspection  the EICAR  test file  was downloaded )





Security  best practice mandate you should have AV enabled and  ssl-inspection profile for protecting local lan users if end-point  protection has not been installed.






Here's how a firewall policy will look like from the  CLI  & that's enabled for  AV-profile and with SSL inspections.




A feedback page will  be displayed  to the end-user who hit's the policy and a simple link provided  if he/she want to  investigate what and why  the content was blocked in regards to AV.



( https test EICAR  file  source )

https://secure.eicar.org/eicar.com


If your using the fortigate as an explicit -proxy, please ensure you have AVprofiles in use and in  proxy-mode.


example



Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, August 11, 2017

conserve mode FortiGates

Within in the Fortigate models, you have a conserve mode. This is a simple method that FortiOS triggers in order to try to  protect  the systems.

Almost all security profiles are handle in shared memory. Any time this memory is exhausted or nearly exhausted the  unit will go into  conserver mode and deactivate certain scan profiles.

You can easy check if your  unit is in conserve mode by the following diagnostic command;

diagnostic hardware sysinfo shm | grep conser



You can also review logs , if this event happens it will be recorded as a "critical" event .

e.g





Okay to  avoid this, we need to understand the following;


  • Combinations of AV-profile  scanning with  proxy/flow mode can cause havoc conserve-mode
  •  excess traffic and utm-function can cause  kernel conserve mode
  • it best to be aware of running  multiple  scan mode flow or proxy
  • Limit what fwpolicies have  AV-profiles
  • Upgrade the unit if it's under-size  and if repetitive  conserve-mode events happens


So to ensure you don't enter conserver mode you need to reduce logging-to-memory.

Various fortigate-models  uses a certain  % of the shared-memory or physical-memory thresholds  to determine when it goes into  conserve-mode . The FTNT support-team  can provide you these values upon request.

It's best to optimized the firewall just for the UTM features that you  required and disable all other utm and profiles from the firewall-policies.






 
Ken Felix
 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

deleting the root vdom ..you can't do it!




Working with various IT/Security outfits over the past few years and  with numerous  Sec-Engineers  to Directors, a lot of them get hung up over the vdom name of  "root". I've even  had  numerous  request for removing the root vdom or renaming it.

Image result for rolleyes



 
In one of my last encounter , they actually  had me open a ticket with  FTNT  & who the engineer made a wild claim that  he think it could be deleted.

In fact this is NOT true! Or I have yet to be proven wrong.


Here's some screenshot of a  wasted of time with "attempting" to remove the vdom name "root", after deleting all policies, creating a a new vdom, deleting any bindings to  root-vdom ( interfaces, admin-accounts,   dhcp-server , fortianalyzer, fortimanager , central-management  etc......)









So the conclusion;


1: the root-vdom  can not be deleted

2: it's just a name-vdom use it as-is or do use it

3: trying to rename vdom-root or deleting it,  is amounting to  trying to rename or deleting the   windowOS  system32 directory or the  unix "/"  directory 


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Monday, August 7, 2017

Fortigate Explicit Proxy with webfiltering

In the school for both public/private sector  the Web-Proxy and URL filtering is a must. This is ensure pupils are restricted to what content they can access.

Here  will show a top-view of a multiple explicit-proxy setup where user groups are defined to  grant users access based on the web_profile that's applied.












































You could have multiple   web_profiles define for various groups .


In the above , we will allow the  grade_levels network ranges to the explicit proxies address which happens to be  loopbacks.

A firewall policy(s) will be required to allow the networks to the proxy address.

This policy will allow the  web_client to use the proxy, all outbound traffic to the internet will be be_blocked, in fact you will NOT need a policy from the loopback address, the fortigate allows this proxy_initiated traffic automatically

1st ( example of a web_client allowances to the web_proxy )


config firewall policy
    edit 0
        set dstintf "loop1"
        set srcintf "LAN1" "LAN2"
        set srcaddr "LANNET01" "LANNET02"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "WEB_PROXY" "PING"
        set comments " !!!!!ALLOW  EXPLICIT  PROXY TO THE CLIENTS school!!!!"
    next

    edit 0
        set dstintf "loop0"
        set srcintf  "LAN3"
        set srcaddr "LANNET03" 
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "WEB_PROXY" "PING"
        set comments " !!!!!ALLOW  EXPLICIT  PROXY TO THE CLIENTS school!!!!"
    next

 end


The above will allow the   src_networks to the respective  proxy_address. You can assign these  address via a GPO for windows clients or statically for others.


Now, that on the loopback interfaces we only need to turn n web_proxy servers


config sys int 
    edit loop0 
           set explicit-web-proxy  enable
    next 
    edit loop1 
           set explicit-web-proxy  enable
    end



The above will  allow the web_clients to reach  the web_proxy services at the 2 loop-backs.


Now, since we have the policies in place and web_proxy enabled, you can optional configure web_proxy profiles and  global  settings.

We will now a web_filter profiles, it might be a combination of categories and static_filters.



In order to use a url-filter for explicit proxy , it MUST BE SET as proxy-mode








Now with all of the above you can define  explict_firewall policies similar to the following;


config firewall explicit-proxy-policy
    edit 1
        set proxy web
        set dstintf "wan1"
        set srcaddr "SCHOOL EDU_NET_RANGE"
        set dstaddr "all"
        set service "WEB_PROXY"
        set action accept
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set utm-status enable
                    set group  "proxy_user0"
                    set webfilter-profile "SCHOOL"
                    set profile-protocol-options "default2"
                    set ssl-ssh-profile "certificate-inspection"
                next
                edit 2
                    set schedule "always"
                    set users "proxy_user1"
                next
                edit 3
                    set schedule "always"
                    set  group  "School_Resource_Group"
                next      
                edit 4
                    set schedule "always"
                    set group  "K-12students"
                    set utm-status enable
                    set webfilter-profile "SCHOOLK12"
                    set profile-protocol-options "default2"
                    set ssl-ssh-profile "certificate-inspection"
                next
            end
    next
end





Each Id_Policy rule could be  a different authentication type or a method  ( local user, RADIUS,LDAP, etc...). Using a RADIUS or LDAP-aaS  solution could also be deployed.



For example, you might use a RADIUS-aaS for one group of users, a static user  for diagnostics, and the student and faculty body authenticated via  MS-AD credentials.


Be aware of the id_rule ordering and what and how a user can authenticate.







The explicit proxy allows for  great means for controlling and inspecting user requests. The Fortigate is a simple  firewall to  execute web_filter from   domain and *wildcard syntax matches, plus category  based filtering.


Each  identity rule could have it's own  web_profile  to match the web_clients authorizations.


Examples

  •   police/resource officer  has allowance to all site to include social media to investigate threats
  •   where K-5 has  a restrict  profile that allows   sites that are educational approved or static entries
  •   8-12 are allow the same plus any SAT or assessment  systems in a static url list
  •    The Information Team has  access to  IT sites for upload/downloads, securiy related matter
  •    Guess uses have basic   access for sites deem approved.

To test the proxy I've found chrome launched manually is a great method. You  could use a static pac.file or just call up the proxy-server

( launching chrome )


( sample pac.file )




Based on your webfilter  category or static URLs and the action you can test for allow or block.  based on that user_group and the action allowed for the URL , you will either be allowed or deny. If denied, you will have a response page similar to below.


If you failed AUTHENTICATION, the proxy will provide a login_failure message.



 


If you do you Chrome, alway check for the proxy settings that the "SYSTEM"  has enabled



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \