Ads 468x60px

16 de abril de 2018

Fortinet integration with SDN environments

If you are creating your virtual Data Center or Software-Defined Data Center (SDDC) where there are virtual networks everywhere, maybe, you are thinking about working with SDN ecosystems. Today, virtualization goes forward Private Cloud, as well as going forward Public Cloud or Hybrid Cloud, where security engineers have to think about how to protect these new environments. Therefore, security infrastructures should become agile and elastic, just like compute, storage and networking, and it must also integrate with underlying SDx infrastructure such as cloud and SDN platforms.

Fortinet solutions for Software-Defined Network Security (SDNS) have a complete security ecosystem with optimized orchestration connectors for OpenStack, Cisco ACI or Nuage Networks as well as for VMware NSX which add value of security integration in SDDC thanks to L7 security, multi-tenancy, identity based policies, Micro-Segmentation, Zero Trust, control of east-west traffic, inter and intra VM security, logical security zones (multi-tier), etc, etc, etc. As we can see, Fortinet FortiGate solutions are not just stateful firewalls like Amazon EC2 Security Groups but UTM firewalls with advanced features for SDN ecosystems as well.

Fortinet Solutions for Software-Defined Network Security (SDNS)
For instance, if we have deployed VMware NSX into our Data Center and we want L7 security even between virtual machines of the same network, as well as control, visualization and analysis of traffic flows, we could deploy FortiGate-VMX Service Manager along with FortiGate-VMX Security Appliances for a complete security ecosystem. Therefore, service groups created in NSX Manager automatically get sent to the FortiGate-VMX and are available for policy creation.

Fortinet FortiGate-VMX Solution Interaction
Another SDN platform supported by Fortinet is Cisco-ACI which can be used in a CLOS/Leaf and Spine architecture instead of in a full virtualizacion platform like VMware NSX does. Fortinet has developed a device package to be imported in APIC where FortiGate configuration is managed. Thus, network configuration (VLAN, IPs, Routes, etc …) and security configuration (Firewall Policies, Security Profiles, etc) is managed from APIC.

Cisco ACI - Device Packet Integration
OpenStack is a software platform for cloud computing which is also supported by Fortinet. The Open Source OpenStack and Commercial OpenStack solutions like HP Helion, PlumGrid, Nuage Networks, NetCracker, BluePlanet, Nokia CloudBand and UBiqube are supported by the Fortinet SDN ecosystem. For example, we can configure an SD-WAN/Zero Touch deployment with Ubiqube and FortiGate-VM where security is delivered as a service by the service provider and enterprise security administrator can protect services easily.

Fortinet - Nuage Deployment Models

I think SDN is here to stay for a period of time, who knows till when? Meanwhile, some datacenters have already deployed SDN solutions to take advantages of auto-scaling and auto-provision for elastic workloads, Micro-Segmentation in Consolidated Data Centers, securing Inter-VM traffic in virtual environments, or SD-WAN efficiencies with service chains. Therefore, we can start thinking about how we are going to protect our services with the new paradigm of Software-Defined Network Security.

Secure Inter-VM Traffic in Virtual Environments
Regards my friend and remember, keep studying!!

9 de abril de 2018

Data Center Load Balancing

If your services have to be up & running for 99,999% of the time,, maybe, you should configure Global Server Load Balancing and DNS Load Balancing for your services. We can configure F5 BIG-IP DNS along with F5 BIG-IP LTM for Data Center Load Balancing or we can also use Amazon CloudFront services along with Amazon Route 53. Anyway, GSLB topologies are increasingly deployed for large IT infrastructures where availability is a must. Therefore, I’ve uploaded a video where we can watch how to configure GSLB for Data Center Load Balancing using F5 BIG-IP DNS along with LTM.

This is the topology used for the PoC:


And this is the video where you can watch the configuration needed for Data Center Load Balancing:

Regards my friend and remember, drop a line with the first thing you're thinking.

2 de abril de 2018

Spanning Tree Protocol

I’m working on a switches deployment project these weeks where redundancy and high capacity is important. Of course!! Who don’t want redundancy and high capacity? It depends on who you are talking with but there are people who think switches can be deployed with the configuration by default and switches only have to be connected to the network, which means their networks are flat without layer 2 segmentation or loop avoidance configuration. There are also people who think they can’t mix switches of different vendors due to Spanning Tree compatibility. However, if you are a network engineer, you’ll know switches should be configured, for instance, for loop avoidance to control topology changes and get redundancy and high capacity.

The Spanning Tree Protocol (STP), originally standardized as IEEE 802.1D, is easy to understand and it should be known by network engineers. It is an ancient protocol for building loop-free logical topologies to prevent bridge loops and broadcast radiation. This protocol is easy to understand because switch ports can only be either a root port (RP), a designated port (DP) or a blocked port (BP). However, this protocol is no longer used because it can take 30 to 50 seconds to respond to a topology change, which is too much time.

IEEE 802.1D - STP

STP improved to RSTP (Rapid Spanning Tree Protocol). Standardized as IEEE 802.1w. RSTP is backwards-compatible with the standard STP as well as it is faster after a topology change because it takes few seconds (default: 3 times 2 seconds). On the other hand, RSTP port roles has been increased to five (root, designated, alternate, backup, disabled) instead of STP’s original three. In addition, Cisco has released STP alternatives such as PVST, PVST+ and RPVST which support Per-VLAN Spanning Tree.

IEEE 802.1w - RSTP

The next step was to develop the Multiple Spanning Tree Protocol (MSTP). Standardized as IEEE 802.1s. It is a protocol backwards-compatible with RSTP and STP but it also supports Per-VLAN Spanning Tree, where we can configure group of VLANs as multiple spanning tree instances (MSTI). This protocol has improved the redundancy and capacity of links because we can send traffic for all links at the same time while there is also an alternate path to the root bridge.

IEEE 802.1s - MSTP
If we are going to install new switches in a network where there are already switches installed, from my point of view, the new ones don’t have to be mandatory of the same vendor but we should choose switches with the same STP compatibility. Therefore, it’s a best practice to configure standard protocols like MSTP or RSTP instead of proprietary protocols.

Finally, most top of rack (ToR) switches also support Shortest Path Bridging (SPB), standardized as IEEE 802.1aq, which has better performance, reliability and real layer 2 multipathing. However, Multi-Chassis Link Aggregation like the implemented by HPE IRF, Aruba VSF and Cisco VSS can also help us to build loop-free logical topologies with much better performance than traditional STP protocols.

IEEE 802.1aq - SPB
Regards my friend and remember, drop a line with the first thing you're thinking.

26 de marzo de 2018

Sophie Germain

Bonsoir. Aujourd’hui, je vais parler de Sophie Germain. C’est une mathématicienne, physicienne et philosophe française. Elle est née à Paris en 1776. Elle a été 13 ans quand commencer la Révolution Française. En fait, son père a été politique pendant la Révolution Française, mais elle n'a pas aimé la politique ni l'argent. Donc, elle a été beaucoup de temps dans la bibliothèque de sa maison où elle a lu beaucoup des livres et elle a étudiée mathématiques.

À 18 ans, quand les femmes sont interdit d'entrer dans l'université, elle a obtenu quelques livres pour étudier dans sa bibliothèque parce qu'elle voulait étudier mathématiques.

Elle a écrit un livre, qu'elle a signé avec le nom d'un homme et elle a présenté le livre à l'université. Les professeurs sont aimé beaucoup le livre d'elle, et elle a gagné un prix, mais elle n'est jamais allée à l’université pour obtenir son prix parce qu'elle a senti mal en face des hommes.

Plus tard, elle a dit a l'université que le livre a écrit pour elle. Alors, les professeurs ont pris conscience du valeur de la femme.

Aujourd'hui, elle est très connu pour sa contribution aux mathématiques.

En fin, elle est mort avec 55 ans à Paris.

Salut mes amis!!

19 de marzo de 2018

What’s new in FortiOS 6.0

I wrote about what’s new in FortiOS 5.6 one year ago but most FortiGate firewalls in a production environment are still in FortiOS 5.4. However, most security engineers are already upgrading to FortiOS 5.6 but, meanwhile, Fortinet goes ahead because the new security operating system FortiOS 6.0 is going to be released next weeks. This new operating system comes with more than 200 features and capabilities that has been designed to provide the broad visibility, integrated threat intelligence, and automated response required for digital business. As I’ve already attended an online sessions to know new features and improvements, I’m going to highlight the most interesting features.

FortiOS 6.0 Dashboard

One of the enhanced features is Security Fabric which extends beyond the boundaries of firewalls and even network security. It includes some new integrations, including Fabric inclusion of FortiMail, expanding local caching capacity seamlessly with FortiCache and a new CASB product. The Security Fabric is also designed to shrink the windows from both intrusion to detection and detection to response. Therefore, automation comes from a new User-Defined Automation feature where triggers take immediate actions in the form of quarantines, configuration changes, reports, or other notifications.

Configuring Automation

Bandwidth management is a must and Multi-path intelligence for SD-WAN, or Software Defined WAN, has also been enhanced in FortiOS 6.0 with SLA controls to measure application transactions, ensuring critical applications travel on the best of the multiple branch links. SD-WAN ensures performance for SaaS, VoIP, and critical business applications as well as automated fail-over capabilities. In addition, new one-touch VPN and zero-touch deployment further reduce complexity and rapidly enable new enterprise branches.

Best of breed SD-WAN
Another powerful enhanced feature is Multi-Cloud Security where connectors within Security Fabric provide full visibility across multi-cloud environments, including private cloud connectors, public cloud connectors and SaaS clouds with CASB connectors. For instance, FortiCASB (Cloud Access Security Broker) offers visibility and advanced threat protection of Software-as-as-Service (SaaS) applications such as, Office 365, Dropbox, Box, AWS and more. It is also integrated with AV and FortiCloud Sandbox for extended protection and detection capabilities.

FortiCASB for Office365
Asset Tagging is a new feature in FortiOS 6.0 which allows us to tag devices, interfaces, and objects with business context, so we can logically manage the traffic, despite the tempest of change at the physical layer. The tagging capability tags interfaces and objects then security policies are automatically invoked when these objects are created. Asset Tagging introduces business precise dynamic network segmentation through tagging that logically separates data and resources where we can set global policies for automatic enforcement.

Intent based network security

Last but not least, new FortiGuard Protection Services are available such as a list of compromised hosts from the Indicators of Compromise (IOC) service, automatic removal of malicious scripts in files from the Content Disarm & Reconstruction (CDR) service which proactively strips potentially malicious content embedded in Microsoft Office and Adobe files to sanitize the most common file formats, and the new Virus Outbreak Protection Service (VOS) which closes the gap between antivirus updates with FortiCloud Sandbox analysis to detect and stop malware threats.

FortiGuard Protection Services
Regards my friends; new firewall operating system, new features, go ahead.

12 de marzo de 2018

CyberSecurity Challenge

The ForoCIBER 2018 was an interesting conference about technological law and IT security where speakers like Eloy Velasco and Enrique Ávila spoke about cybersecurity. However, this year, ForoCIBER came with a CyberSecurity Challenge as well where young people with less than 35 years old and knowledges about reverse engineering, exploiting, forensics, hacking, cryptography and steganography could participate to show their technical skills and win some award. Therefore, I took the plunge to resolve these CyberSecurity Challenges.

The first challenge was about hacking where I had to find out a hidden word into a server. I only had the public IP address of the server but I knew soon remote services like SSH and MySQL was published to Internet, after scanning and testing with Nmap and Telnet. A Vulnerability assessment was the second thing I launched to know whether remote services had some important issue to exploit. I also launched Armitage to exploit the remote services but I got nothing. Finally, it was easier than all of this because administrator credentials to get into MySQL database was by default, where the magic word was hidden.

MySQL Access
The second challenge was about hacking, cryptography and exploiting where I had to steal a database from a webpage to know the credentials of a WebShell then I had to decrypt the magic words. Stealing the database wasn’t difficult because it was vulnerable to SQLi attack. However, credentials of the WebShell were encrypted. I was thinking about the encryption algorithm for hours till I realised letters were rotated 14 letters to the left. Once I knew the encryption algorithm, it was easy logging in to the WebShell and find out the magic words.


The third challenge was about forensics where the challenger gave us a tar.gz file for Capturing The Flag (CTF). The tar.gz file contained a text file with hashing information and another file, in fact a RAW image, which was split in many and small files of 100 bytes. Next, I put together all the files thanks to the windows type command, although it could have been used cat or affuse as well. The RAW image contained three pictures and two zip files with password protection, that I cracked with the fcrackzip tool. Digging into the decompressed files, I found a picture file with the flag hidden into the metadata.

The last challenge was about steganography and forensics where I had to find out the magic word using an IMG image. First, I mounted the image which contained tools, like HxD, Recuva and JPHS, and an empty folder called ”Imagenes”. Next, I used FTK Imager and Autopsy for searching for deleted files where there were a stegocontainer and a link to download the password for accessing to the stegocontainer. However, the password was a picture but thanks to the picture name and the HxD tool, I got the real password to get into the stegocontainer for reading the magic word.

It took me nearly 28 hours for resolving these challenges which was amazing because I was thinking about the challenges for all day to find out tips and steps. At the end, I got the second award, which was an iPad. Thank you. Thanks to the University of Extremadura and Viewnext for this interesting initiative about CyberSecurity.

CyberSecurity Challenge Awards
Best regards my friends. I’ve requested to be a challenger next year. We’ll see. Thanks.

5 de marzo de 2018

ForoCIBER 2018

I’ve been in the second edition of ForoCiber last Friday in Badajoz where speakers have spoken about technological law and IT security. I had already been in the First National ForoCiber Summit in Cáceres and I didn’t want to miss the ForoCiber summit this year because it’s one of the few meeting about IT security in Extremadura. In addition, ForoCiber is not only about IT security but technological law as well what means IT engineers and lawyers share knowledges and point of views, which is very interesting. Therefore, I want to make an overview about the second edition of ForoCiber in this post.

The first speaker was the judge Eloy Velasco from the Spanish National Court who talked about technologies for crime investigations. He spoke about the criminal prosecution law 13/2015 and he also told us many stories and examples. For instance, he talked about the case of banking data theft by Falciani and the investigation of shooting in San Bernardino (California) where protection of fundamental rights and collaboration with the justice is important and mandatory in Spain. He also talked about geolocation, cameras, microphones, etc used for his investigations as a judge. It was a really interesting talk.

Eloy Velasco

The next speech was for Susana González from Hiberus who talked about Data Protection Management System into General Data Protection Regulation (GDPR) where risk identification, risk assessment and risk management is important into the Data Protection Impact Assessment (DPIA). In addition, she spoke about Privacy by Design & Default where companies should process personal data with data protection and privacy in mind at every step and where strictest privacy setting should apply by default. It was a non-tech talk but a security management talk.

Susana González
Miguel Ángel Arrollo founder of Hack&Beers was the next speaker who talked about SOCMINT: Social Media Intelligence. From my point of view, it was a funny and interesting talk because he show many online tools for Social Media Intelligence like tinfoleak for searching Twitter users leaks, IntelTechniques where there are many online tools and where we can search Twitter or Instagram users to find out where someone’s been posting from recently. The best recommendation is to disable geolocation into social media applications.

Miguel Ángel Arroyo
Once again, Enrique Ávila comes to ForoCiber. This time, Enrique as Manager at Spanish National Centre of Excellence on CyberSecurity (CNEC) talked about Strategic Cyber Intelligence. He highlighted the importance of multidisciplinary teams to improve protection on cyberspace. In addition, he spoke about the strategic talent reserve on cyberdefense and cybersecurity where technical profiles could be required by the government as voluntaries to protect and help Spain.

Enrique Ávila

Finally, Manuel López who works as a National Police of Spain talked about Computer Forensics. He spoke about the importance of chain of custody but he also spoke about the danger and the difficulty to get into criminal’s houses to get evidences. In addition, he told us that most forensic tasks he does are against mobile devices like smartphones and tablets, although he has also had to analyse laptops, servers or video game consoles.

Manuel López
To sum up, it has been an interesting summit and I would like to say thanks to the organization for their hard and good job.

26 de febrero de 2018

FortiSIEM Overview

I work with Security Information and Event Management (SIEM) systems since I started at Ariadnex 9 years ago where I’ve been deploying virtual SIEM and I’ve understood the importance of event correlation. I’ve worked with USM and OSSIM before Alienvault moved to the EEUU. It was a spanish company. I’ve also worked with ArcSight before it was merged with Micro Focus. It was an HP solution. In addition, I’ve attended to some webinar about LogRhythm. However, I’m going to write about another SIEM solution today. It is called FortiSIEM.

FortiSIEM Dashboard
The first time I heard about FortiSIEM was in 2016 when Fortinet acquired AccelOps, which was an IT security, monitoring and analytics software vendor. However, AccelOps had already bought Cisco Security Monitoring, Analysis, and Response System (MARS) in 2007, and Cisco Systems bought the founding company Protego Networks in 2004. This means FortiSIEM software has more than 16 years of expertise in the security information and event management. Thanks to FortiXpert 2016, I could know about this product for the first time.

FortiSIEM History
FortiSIEM has several components, which can be bought as an All-in-one appliance or as a distributed architecture. In addition, it can be deployed as a Virtual Appliance or Hardware Appliance. Mainly, there are four components. Collectors are the probes which receive events from devices and there is usually one Collector for each datacenter, customer or remote office. Workers are the processes for event correlation and we can install as many as we need. Supervisor is a single pane of glass for NOC & SOC analytics and log management. Windows Agents and Managers are installed into Windows Operating Systems for maximum visibility to collect system, application and security event logs, file integrity monitoring, registry change detection, etc. Therefore, we’ll have four components for rapid detection and remediation of security events.

FortiSIEM Architecture
One of the features I really like of FortiSIEM is Business Services which let us view metrics and alerts from a business service perspective. A business service is a smart container of relevant devices and applications serving a business purpose. Once defined, all monitoring and analysis can be presented from a business service perspective. Therefore, it is possible to track service level metrics, efficiently respond to incidents on a prioritized basis, record business impact, and provide business intelligence on IT best practices, compliance reporting, and IT service improvement.

Dashboard of a Business Service
If we want to deploy a FortiSIEM monitoring solution, we have to take into account how many devices we are going to monitor and how many events per second (eps) these devices are going to send to FortiSIEM because it’s licensed by devices and eps. We also need to know how many datacenters or remote offices we are going to monitor because we’ll install a collector for each remote network. In addition, we have to know if we are going to install Windows Advanced Agents to gather endpoint information because each device with advanced agent consumes two device licenses. One for the device and another for the advanced agent.

Windows Agents

From my point of view, FortiSIEM is another SIEM solution like Alienvault, ArcSight or LogRhythm which are complex to install, configure and manage because they have to be integrated with many systems to receive events. What’s more, security engineers have to know how to define security policies properly to take advantage of these monitoring solutions.

Are you willing to manage a Security Information and Event Management solution? Let me know!!

19 de febrero de 2018

Working with SDN ecosystems

Networks were easy to understand when IT engineers worked with physical servers with physical network interfaces and unique IP addresses. This was easy to understand and configure. We saw it and we touched it. However, there are increasingly applications and servers, which are hosted in virtual platforms or into the Cloud, where these applications and servers are available from anywhere at any time, and they have virtual network interfaces with virtual IP addresses. This is difficult to understand for those who have always been working with physical infrastructures. However, applications and servers are no longer physical. If we want to take advantage of new technology, we should learn, understand and study how this new virtual world works.

Lately, I’ve been writing about Public Clouds, such as AWS Cloud or Microsoft Azure, where everything is virtual and we even don’t know exactly where our applications are hosted. However, if we create our virtual Data Center or deploy a Private Cloud, we can use Software-Defined Networking (SDN) and Security solutions, such as VMware vCloud Networking and Security (vCNS), which are useful for creating virtualized networks as well as protecting our applications. For instance, these solutions, based on SDN, help us to deploy virtual firewalls and load balancers into our own platform.

Software-Defined Networking and Security
VMware NSX is the next generation of vCNS and it’s more than a Software-Defined Networking (SDN) and Security solution but it’s a Software-Defined Data Center (SDDC) solution which help us to create virtual distributed firewalls and load balancers as well as enabling micro-segmentation or configuring VxLAN. This is a solution to build network architectures in software which also enhances security into the virtual ecosystem. Nothing about physical network interfaces and nothing about hardware appliances. Everything is virtual and everything is software.

Software-Defined Data Center (SDDC)
One of the greatest change in this new virtual world is, from my point of view, firewalling. Today, there are security engineers who still think about the traditional firewall model, which allows or denies traffic into the perimeter network. However, you have to throw away your firewalls because this is not enough, and applications should also be protected from inside the datacenter. For instance, Amazon Security Groups and VMware NSX help us to configure firewall rules for each virtual machine, protecting applications from inside the datacenter.

Intuitive Firewall Rules with VMware NSX

Once we choose to deploy Software-Defined Networks (SDN), it seems more difficult to deploy security platforms such as IDS/IPS systems but it’s not impossible. Most virtual and cloud platforms have also networking and security features for log analysis and traffic analysis, which are useful for troubleshooting as well as for integrating with IDS/IPS virtual appliances. Thanks to port-mirroring features into virtual switches, we can keep analysing traffic of virtual machines.

VMware Port-Mirroring
I think, Software-Defined Networks (SDN) are just the beginning. We’ll increasingly see Software-Defined Data Center (SDDC) where we’ll enable micro-segmentation and workflows for virtual machines and we’ll forget buying lots of hardware servers.

This is the new ecosystem. The virtual ecosystem. Are you ready?
Related Posts Plugin for WordPress, Blogger...

Entradas populares