Ads 468x60px

15 July 2019

FortiWeb - SQLi Test



I’ve already written a lot about Web Application Firewall (WAF). I think these appliances are useful for securing web applications in layer 7 from sophisticated attacks such as XXE attacks or CSRF attacks. In fact, I’ve already deployed, installed and configured several WAF appliances such as F5 BIG-IP ASM and AWS WAF. However, I had never deployed, installed and configured the Fortinet FortiWeb WAF appliance till last week.

Fortinet FortiWeb is a Web Application Firewall which has many more web security features than Fortinet FortiGate to block Web Application Attacks. For instance, FortiWeb can be configured with Machine Learning to protect web applications from known and unknown exploits. Therefore, FortiWeb defends applications from known vulnerabilities and from zero-day threats. I think, FortiWeb is easy to manage and configure like any other Fortinet family appliance. In addition, Fortinet Security Fabric can also interoperate with FortiWeb.

There are lots of network topologies to deploy a WAF. On one hand, we should always deploy a WAF after the Network Firewall, so that WAF is between the firewall and web servers. WAF and IPS are not the same. Most network firewall have an IPS which is useful to block layer 3 attacks such as IP Spoofing Attacks or DoS Attacks. However, WAF is useful to block layer 7 attacks. Therefore, we should block layer 3 attacks before layer 7 attacks.

FortiGate + FortiWeb

On the other hand, we should deploy a WAF before the load balancer, so that WAF is between the load balancer and the clients. There are two main reasons for this deployment. Firstly, we don’t have to balance WAF devices thus we’ll balance real servers. Secondly, HTTP requests will correctly appear to originate from the real client’s IP address, not (due to SNAT) your load balancer.

FortiWeb + FortiADC
 
These are two recommendations for planning the network topology. However, we have to take into account another one. We should know the router mode and the one-arm mode. The router mode is the topology when real servers gateway is the WAF, therefore, there is no SNAT but we need a new network to deploy the WAF between real servers and the network firewall. The one-arm mode is easier to deploy because we don’t need a new network but SNAT configuration is required, therefore, the X-Forwarder-For (XFF) header have to be enabled to know the client’s IP addresses.

One-arm mode topology
 
FortiWeb is easy to configure and manage. If we want to configure a basic security policy to defend a web application, we’ll have to configure a server pool, a virtual server and a server policy. Firstly, the server pool is the real servers which are going to be defended. Secondly, the virtual server is the WAF IP address which is going to listen HTTP/S requests. Finally, the server policy is the security configuration to defend the server pool in the virtual server IP address. For instance, we can watch a basic security configuration in the next video to defend a web application from a SQLi attack.


select * from users where LAST_NAME = ‘” + userName + “’”;
select * from users where LAST_NAME = ‘Lim’ OR ‘1’=’1’”;

Regards my friends. Have a nice day!

8 July 2019

DNS and Web Filtering



Internet works with IP addresses but nobody learn the web server IP address, instead, we learn the domain name. It’s like the telephone number, nobody learn the number, instead, we search into the contacts list. As a result, the DNS service is very important for most companies. Actually, this service has to be always available and the response time has to be quick. In fact, if the root domain servers were shutdown, most people would think there is no Internet.

The DNS service is used by most people as well as by most computers for machine to machine communications. However, it’s also used by most malware which could request domain names similar to the original one or could request domain names totally different and difficult to remember as DGA malware do. For instance, Zeus and Cryptolocker malware use DGA to connect to the C&C server and, thanks to this algorithm, they can bypass security policies such as IP reputation policies.

Malicious Domain Name

There are lots of security websites which helps us to look for domain names to know if a domain name is malicious or it’s a good one. For example, Open Threat Exchange (OTX) is a website where we can search Indicators of Compromise to have a full description of the attack. VirusTotal is well known by most security engineers where is easy to look for URLs or upload files to know if they are suspicious or infected. Another interesting website is FortiGuard where is also easy to look for domain names and IP address. All of these websites are useful for malware forensics.

Open Threat Exchange (OTX)

The security websites are useful for malware forensics. However, if we are surfing in these websites, maybe, it's because the attack or the infection is already done. It's late. Therefore, companies should install security appliances which are able to analyse DNS requests and responses to look for suspicious domain names. For instance, this kind of service can be configured in FortiGate devices where we can block DNS requests and responses by categories such as malicious domains, phishing domains, social networks domains, etc.

DNS Filter

There are also security appliances which are able to analyse HTTP requests and responses to look for suspicious websites. When the computer requests a website, the computer has already requested the domain name for that website. Therefore, it would be better to block the DNS request because it’s done before the HTTP request. However, web filtering services are also useful because we can analyse the content of a website. We can analyse inside the website to look for downloaded malware. In addition, we can even analyse HTTPS traffic where lots of malware is downloaded or C&C communications are done.

Web Filter

DNS filtering and Web filtering are mandatory for most companies where there are users with Internet access. However, there are medium and big companies where is also useful DDI appliances for a better DNS, DHCP and IPAM management. This kind of appliances are also able to analyse DNS requests to look for malicious domain names. In addition, DDI appliances are able to make reports useful to know what endpoints are infected.

DNS-DHCP-IPAM (DDI)

Regards my friends. Keep studying!!!

1 July 2019

Inside Soviet Military Intelligence



I’ve finished the French Language course thus I’ve started reading books again. Actually, I’ve been reading Inside Soviet Military Intelligence by Viktor Suvorov these last two weeks because I’ve been less stressed and I’ve had more free time for reading, sports, beers, etc. Therefore, I’ve been reading this interesting book where I’ve learned how the Soviet Intelligence worked, what was the hierarchical organization structure, how they got illegals, etc. I think, this is an interesting book because the Russian Military Intelligence is one of the most powerful intelligence services of the world.

The book was written in 1984 and we can read the history of the KGB and the GRU, agent recruiting, agent communications, tactical reconnaissance, etc, etc. I’ve read about two Russian security agencies which main functions were foreign intelligence and counter-intelligence. This amazing and secret world has many activities which civilian people will never think. For instance, we have known recently Skripal and his daughter were poisoned with Novichok, maybe, by the GRU.

I’m sure there are many illegal activities out there where intelligence services get whatever they want. No matter how they get it or what they have to do. The aim is getting information and achieving the goal successfully. This is an useful book to know another world. I recommend you reading this book if you really love the intelligence services.

Regards my friends. Keep reading!!!

24 June 2019

French Language



I’ve finished the first course for the B1 level in French language last week. I’m glad to say I passed the exam. However, this course has been a little bit more difficult than the last course. Obviously!! It’s an intermediate level instead of basic level. I think it has been more difficult because I didn’t spend enough time studying. This year, I’ve had less time to study French language than the last year. Therefore, I haven’t trained very well the writing, listening, speaking and reading skills. Nevertheless, I got good marks. Not very good marks but good marks.


I got 8,5 in the listening skill which is very good. I keep listening the France Info radio each time I’m taking a shower. In addition, I’ve done many listening exercises in the website apprendre.tv5monde.com as well as I downloaded lots of listening exercises and exam examples from Official Schools of Languages such as the school of Andalusia, Canary Islands or Galicia. What’s more, I’m not used to listening the radio while I’m driving my car but I listen tracks about how to say some sentences in French language. All of these have been enough to pass the listening skill.

I think speaking in French language is one of the most difficult skill because it’s hard to train and it’s difficult to know if you are speaking well or you are making lots of mistakes. It’s also difficult because I usually speak in Spanish language with everybody and I only speak in French language when I’m at school or I meet up with my classmates. Finally, I’ve passed the speaking skill with the score of 7,5 thanks to Vaughan Bonjour! where I spoke alone in my house. Yes, it’s true. I’ve spoken and repeated alone everything I heard from Vaughan Bonjour!

The reading skill is an easy skill due to the fact that understanding all words and sentences are not needed. In addition, there are French words which are written similar in the Spanish language. Therefore, it’s usually easy to understand texts in French language. In fact, it’s an skill almost everybody passes. I haven’t read a lot for this course. I’ve only read a few documents such as the Revue Stratégique Cyberdéfense de France, which is really interesting. However, it has been enough for passing the exam with an 8 score.

The most difficult skill for me is the writing skill and this is the main reason why I’m writing in this blog. When I was studying English language, I wasn’t able to pass the writing exam properly. Sometimes, I had to retake the exam. As a result, I opened this blog for improving the writing skill. Thanks to this blog and all the documents I’ve written, I’ve got an score of 6,75.

This year, there has been a new skill which is about mediation. For instance, we have a document with pictures and texts where we have to write and explain to someone what are the best dates for buying flights or how to arrive somewhere. I got an score of 7. Not bad!!

Regards my friends. Keep learning languages because it also improves your brain!!

17 June 2019

What’s new in FortiOS 6.2



You already know that I like reading and testing new features. I wrote about What’s new in FortiOS 5.6, What’s new in FortiOS 6.0 as well as What’s new in BIG-IP version 14.0. Therefore, I’m going to write about What’s new in FortiOS 6.2 where there are lots of new features and interesting enhancements for security engineers. Right now, I usually install FortiOS 6.0 for production firewalls but I think it’s good to know the new features and enhancements because, maybe, we’ll require these new features in the future.

Security Fabrics are increasingly useful when we have more than one Fortinet appliance. For example, FortiOS 6.0 was already able to integrate the firewall with many Fortinet appliances. Consequently, we can see interesting information from FortiView. However, FortiOS 6.2 is also able to integrate the firewall with more Fortinet appliances such as FortiMail and FortiWeb. In addition, there are more FabricConnectors available such as connectors for IP Addresses, Malware hashes and Multi-Cloud.

Security Fabric

SD-WAN is another feature which is getting better. We can already configure an IPsec VPN tunnel with more than one WAN interface against another FortiGate to make an Overlay Tunnel. Therefore VPN bandwidth can be increased easily with multiple Internet links. Traffic Shaping is also improved where we can configure shaping profiles with network requirements for applications such as maximum bandwidth or priority.

SD-WAN - Per Packet WAN Path Steering
 
There are another feature I really like. We can configure only one inspection mode in FortiOS 6.0. we have to choose between Flow-based mode or Proxy-based mode. However, if we want to enable the Web Application Firewall, we’ll need to enable the Proxy-based mode but if we want to configure firewall policies by applications, we’ll need to enable the Flow-based mode. Therefore, we can not have both features, WAF and firewall policies by applications at the same time. FortiOS 6.2 supports both inspection modes at the same time.

Inspection Mode
 
Wireless and Switching improvements have been included in FortiOS 6.2. This new version supports WPA3 and WIFI 6 (802.11ax). For instance, we’ll be able to configure the Transition WPA3 mode which will be useful for wireless networks where there mobile devices that support WPA2 but not WPA3. What’s more, security enhancements have been included to FortiSwitch such as maximum bandwidth and priorities for quarantine VLANs.

Twenty-year timeline of 802.11 standards
 
FortiOS 6.2 have lots of new security features and enhancements which will be very interesting for most companies and security engineers. Today, most FortiGate firewalls run with FortiOS 6.0 but they will run FortiOS 6.2 in the near future.

Regards my friends. Have a nice day ;-)

10 June 2019

Operation Sharpshooter



I would like to learn more and more about how latest malware work. In fact, from time to time, I read about what are the techniques they are using to exploit operating systems and get the information they are looking for. I like this kind of information because I think it’s useful for my job. Firstly, it’s useful because we are updated about the latest vulnerabilities and this is a best practice. Secondly, it’s useful because we can protect services better when we know how attacks work. Finally, it’s funny and rewarding to know how malware work.

Today, I’m going to write about the Operation Sharpshooter which is one of the latest malware campaign. This operation uses the malware Rising Sun against critical infrastructures, government and finance such as nuclear power stations, banking, electrical companies and the army. This malware is similar to the backdoor Duuzer because both decode and exfiltrate the information in the same way. Security researchers think the Operation Sharpshooter come from the Lazarus Group.

How this operation work? Firstly, they get lots of information about people who work in the company they want to attack. Secondly, they send a malicious document to victims about a new and better job. Thirdly, victims open the malicious document which execute a shellcode. This shellcode download the malware Rising Sun and a decoy document. Finally, the malware get lots of information, such as operating system, computer name, IP address, and send this information encrypted to the control server.

Infection flow of the Rising Sun implant, which eventually
sends data to the attacker’s control servers

Actually, I’ve seen many operations like this where social engineering and spear phishing are the ways of inserting malware in the organization. However, this kind of operations are increasingly persistent and directed to some companies. Therefore, it’s more difficult to detect these campaign. For instance, we already know about this operation, against some critical infrastructures, but we don’t know yet what is the goal of getting and exfiltrate this information.

Thanks for reading my blog!! If you know books about malware, write it down in the comments!

3 June 2019

Les Voyages



Je peux me rappeler très bien de la première fois que j’ai voyagé à autre pays. J’avais 20 ans et j’étudiais dans l’Université à Mérida. J’ai eu l’opportunité d’aller en Angleterre pour apprendre l’anglais. Donc, je suis y allé ! D’abord, c’était très difficile parce que je ne parlais rien d’anglais. Finalement, c’était très amusant parce que j’ai appris l’anglais et j’ai connu beaucoup de gens. Comme le voyage a été génial, je suis allé à Malte l’année suivante pour améliorer l’anglais.

Ces deux voyages ont changé le regard que je porte sur les langues. Ensuite, j’ai continué à voyager. D’abord, j’ai aidé à nettoyer un école à Istanbul. Après, je suis allé à Moscou pour travailler dans un camp d’enfants pendant l’été. Enfin, j’ai aussi été à Prague en nettoyant la forêt. Alors, j’ai amélioré beaucoup mon anglais mais aussi j’ai appris un tas de choses culturelles et de la gastronomie.

Un souvenir de Turquie

Tous ces voyages ont changé le regard que je porte sur le monde. En premier lieu, les langues ont changé mon mode de vie. Finalement, travailler comme bénévole a changé le regard que je porte sur le monde.

Salut !

27 May 2019

Two FortiGates in a VRRP domain



I still remember when I wrote the HSRP, VRRP and GLBP post. I was studying for the CCNP Route exam. In fact, this post is the most viewed in my blog. I learnt how these First Hop Redundancy Protocols (FHRP) work. I learnt VRRP works with the multicast IP address 224.0.0.18 and IP protocol number 112. It was great to know there were protocols for high-availability routing. Therefore, we can configure two routers with the same IP address, which is the default gateway for users, and if one of them fails, the other one takes over.

Last week, I’ve been configuring two FortiGates in a VRRP domain because I’ve needed high availability between different models of firewalls. I know the best architecture is a cluster with the same model of firewalls but when the project requires high availability with different model, we have to look for a solution. The configuration is easy. We have to enable vrrp-virtual-mac on the port, and set the Virtual IP address. In addition, we should set a higher priority number for the primary FortiGate and a lower priority number for the backup FortiGate.

Configuring two FortiGates in a VRRP domain

If we use FortiGate firewalls for secure services such as HTTP and HTTPS services, we’ll also want high availability for these services. Therefore, Virtual IPs will have to be configured in both firewalls. At first, if we configure the same Virtual IP in both firewalls, there will be IP duplicated and it doesn’t work properly. However, FortiOS 6.0 already supports failover of IPv4 firewall VIPs and IP Pools. Thanks to a new proxy ARP setting, we’ll be able to map VIP to each router’s Virtual MAC (VMAC).

Failover of IPv4 firewall VIPs
 
Another interesting setting is the VRRP load balancing, which is useful when we want both firewalls are processing traffic. Accordingly, one firewall is the primary router of one subnet and the other one is the primary router of the other subnet. However, if one firewall fails, all traffic fails over to the other one that is still operating. From my point of view, Active/Active configuration is not the best design but it could be useful in some architectures.

VRRP load balancing

All of these settings are configured using the CLI. There is no way to configure VRRP using the GUI in FortiGate. Consequently, the routing table have also to be got using the CLI. The command “get router info vrrp” show the status of VRRP. For instance, we can know what firewall is the master router and what is the backup router. We can also know the Virtual Router IP (vrip), the Virtual Router Group (vrgrp), etc, etc.

VRRP Routing Table

VRRP is a standard protocol thus we can also configure a VRRP domain between a firewall and a router. For example, we could configure a VRRP domain between a FortiGate firewall and a Cisco router. This is a great advantage of using standard protocols instead of private protocols such as HSRP or GLBP.

Your comments are welcome!!

20 May 2019

F5 BIG-IP APM – SSO for Terminal Services



F5 BIG-IP APM is a good alternative to the deprecated Juniper SSL VPN, which has been sold to Pulse Secure, because APM unifies SSL VPN services and the management of authentication and user accesses, integrating SSO Authentication and federation of identities services into the same solution. Therefore, F5 BIG-IP APM can be used for telecommuting as well as for Virtual Desktop Infrastructures (VDI) due to the fact that APM supports native VDIs such as Microsoft, VMWare and Citrix and also supports most authentication mechanisms (NTLM, Kerberos, SAML, digital certificates, tokens, OTPs, etc).

I made a video last week about Portal Access & Webtops and I would like to share a new video this week about Single Sign-On for Terminal Services. You will watch, it’s easy to configure SSO for Terminal Services but it’s a useful feature in most organizations for employees and partners who work from home, airport or wherever.


I think, it’s important to highlight that some extensions are needed when creating the SSL Certificate for the SSL Profile (Client) because the VDI Profile generates a cryptographic signature based on the attached client SSL Profile. However, if the SSL Certificate doesn’t have these extensions, there will be a message error when we connect to the Remote Desktop.

"The digital signature of this RDP File cannot be verified. The remote connection cannot be started".

 APM - User Defined RDP in version 13 - digital signature issue

I hope this video is useful for you. Regards my friends! Keep learning!

13 May 2019

F5 BIG-IP APM - Portal Access & Webtops



The last two weeks have been a little bit stressful but at the same time very rewarding. Firstly, I’ve had to make ready lots of F5 labs and slides because I’ve been the teacher of a F5 training. Secondly, it’s very rewarding because I’ve also learnt a lot thanks to the students’ questions. Actually, the first course week has been about F5 BIG-IP LTM Fundamentals while the second week has been about, three days of F5 BIG-IP LTM Advanced and two days of F5 BIG-IP APM.

We’ve talked about new technologies such as HTTP/2 and HSTS which could be interesting for new application deployments. We’ve also been speaking about advanced TCP options such as Multipath TCP, SACK, Long Fat Networks and the Nagle’s Algorithm. All of these concepts were new for students. They didn’t know anything about it. However, F5 BIG-IP has able to deliver applications with these TCP options. What’s more, F5 BIG-IP APM has able to deliver Access Portals with Single Sign-On (SSO) which is very useful for organizations who wants an unique web portal to access all internal applications with the same credentials. An access portal with SSO for applications is like Google does with all the applications.

Google Single Sign-On for Gmail Applications

I wrote about throw away your firewalls two summers ago when I read Google has an Access Portal with SSO for employees where they can work from Internet as they were inside the Google building. Therefore, we can watch in the next video how to configure an Access Portal, which can be configured along with SSO Authentication, where there are Webtops to access internal applications. F5 BIG-IP APM allows organizations to have an unique Access Portal with SSO Authentication to access all internal and external applications.


I hope this video is useful for you. I've learnt a lot!! Keep learning my friends!

6 May 2019

F5 BIG-IP APM – SSO Authentication



It’s really beautiful and rewarding learn how to configure new services and technologies but it’s also really hard test configuration again and again till it’s work because it takes lot of time. This weekend, I’ve been more than 6 hours learning how to configure the Single Sign-On functionality with an application server that uses forms based authentication. Finally, I’m happy because I’ve learnt how to configure SSO in BIG-IP APM.


The most difficult configuration is the SSO Method Configuration because we have to know exactly how the application works to validate the username and password. I mean, we have to know what is the login page and the credential parameters. On the other hand, it’s really powerful the Visual Policy Editor where we can configure the logon page, the authentication database, SSO mapping, etc. We can configure almost everything.

Visual Policy Editor
 
I hope this video is useful for you. I've learnt a lot!! Keep learning my friends!

29 April 2019

What’s new in BIG-IP version 14.0



From my point of view, the BIG-IP version 13.1 is ready for production. In fact, BIG-IP version 13.1.1.4 is the best version for production right now. However, BIG-IP version 14.0 is already out and it’s time to know the new features and enhancements. I like reading and writing about new versions such as What’s new in BIG-IP version 13.1, What’s new in FortiOS 5.6 or What’s new in FortiOS 6.0. Today, I’m going to highlight the new features included in BIG-IP 14.0 which are useful and cool.

BIG-IP LTM v14.0 has new features such as Default Passwords Expiry, Password Policy Enforcement, New HTML-Based Dashboard and Support full dual-stack IPv4 and IPv6 addresses on the Management Port. The new HTML-Based Dashboard is the best feature by far because it’s no longer needed Flash software to show the system dashboard. On the other hand, security has improved because Default Passwords have to be changed and we can also configure a Password Policy to create strong administrator passwords.

HTML-Based Dashboard

BIG-IP Advanced WAF v14.0 has lots of interesting security features such as Enforcing Use of Parent Policies, Threat Campaigns Subscription and Secure Client-Side Transactions with DataSafe to named of few. Enforcing use of Parent Policies is useful to eliminate repetitive configurations and management of the same settings across individual policies. In addition, the Threat Campaigns Subscription is interesting to detect specific threat actors, web attacks and vulnerabilities. The Threat Campaigns Subscription can complement any existing security policy and DoS profile already deployed. Finally, the Secure Client Side Using DataSafe is able to obfuscate user data, encrypt user data or protect against keyloggers using a new DataSafe profile assign to the virtual server.

Enforcing Use of Parent Policies
 
BIG-IP APM v14.0 has also included new features and enhancements such as Access Guide Configuration, OpenID Connect Authorization Server, VMware Blast Extreme or Multi-Factor Authentication for Native Microsoft Clients. Guided Configuration uses iApps and it’s designed to make complicated configurations much simpler for BIG-IP administrators. What’s more, BIG-IP APM v14 supports OpenID authentication, which is similar to SAML, and it also supports VMware Blast for Virtual Desktop Infrastructures (VDI).

Access Guided Configuration
 
BIG-IP DNS v14.0 has also been improved with new features such as EDNS0 Client Subnet Support and it’s also able to add DNS Devices via iControl REST. For instance, BIG-IP DNS v14 places the client IP address into the EDNS0 field, if empty, and determines the topology proximity of the client. This new feature improves Global Server Load Balancing.

With EDNS0 Client Subnet Support
 
There are lots of new features and enhancements in BIG-IP v14.0. It’s up to you testing these new features and reading about it. Regards my friends! Be happy!

22 April 2019

Security on the Internet for teenagers



From time to time I have to give a speech about security, networking or technology. This week, my colleague Marco has scheduled a talk about “Security on the Internet for teenagers” where I’m going to speak about best practices and risks there are on the net. Actually, there are lots of things I can tell about Security on the Internet. I can speak about Social Networks, Privacy, Sexting, Cyber Bullying, Grooming, etc, etc.

Poster

Social Networks are well known by most teenagers. Most of them know WhatsApp, Snapchat, Pinterest or even Tik Tok. They know the benefits of using this kind of applications. We can be in touch with friends. We can share pictures. We can meet people with the same hobbies. There are lots of benefits. However, it’s important to highlight there are also risks we have to take into account. The severity of these risks can be very dangerous. From a fight to commit suicide. For this reason the use of social networks must be done carefully.

Privacy seems something boring. Most teenagers don’t mind the privacy. There are lots of letters to read. There are lots of sentences to understand. Nobody read them. However, privacy is not like stuff, which we can recover if someone else picks them up. I mean, if someone steal your bike, you can recover it but if someone steal your identity, your pictures or your information, you’ll never recover it.

Social Networks and Privacy are just two topics I’m going to speak in the talk but I will also speak about Sexting, Bullying, Grooming, etc where I’m going to play videos and ask lots of questions to teenagers. We’ll see the feedback of the audience. I hope this talk will be rewarding for the future of teenagers on the net.

We will see on the stage!! ;-)

15 April 2019

ISA-95 levels for Industrial Systems



One of the first certification exams I applied was the ITIL Foundation 8 years ago, where I learnt about IT Service Management (ITSM). Afterwards, I worked for Ariadnex to get ISO 20000, where I learnt more about IT Service Management. I also worked for Ariadnex to get ISO 27001, where I learnt a lot about Information Security. These last two years I’ve also been working with PCI-DSS and ISO 22301. I mean, I think reading standards and applying best practices is important, and much of the time, mandatory to do a good job.

Today, I want to write about a new standard I’m reading lately. It’s the ISA99 standard. I didn’t know this standard till four or five months ago when I started working on a new project. If you know the ISA99 standard, you’ll know I’m talking about an industrial project. Actually, the ISA99 committee has developed the ISA/IEC 62443 series of standards and, then, the ISA99 standard is no longer developed by the committee. What I would like to highlight today is the levels defined by the ISA95 and ISA88 standards.

ISA-95 levels

The first two levels, level 0 and level 1, of process control are focused on the control of equipments which execute the production processes. On the one hand, level 0 is the equipment and human resources which are required for the industrial process. Level 0 is a set of physical assets into the enterprise. On the other hand, automations-systems such as PLCs, DCSs or RTUs are in the level 1. These automations-systems work with the physical assets, which are in the level 0. The level 1 devices are electric and control devices.

PLC - Programmable Logic Controller

The next level, level 2, is very good defined by the ISA88 standard. HMI and SCADA systems are in this second level. HMI are operation monitors to control specific processes while SCADA systems are applications to control and monitor the whole industrial system. As a rule, a PLC is controlled by an HMI while lots of PLCs are monitored with an SCADA system. Therefore, the first interaction between the human being and the hardware is in the level 2.

SCADA - Supervisory Control And Data Acquisition

The next two levels, level 3 and level 4, are well defined by the ISA95 standard. We have the Batch, Historian and MES in the third level. The Batch is like an SCADA with databases for batch production. The Historian is a database where industrial data is store. The MES is the interface between the level 2 and level 4. Therefore, the level 4 is where the business intelligence is located. For instance, ERPs and CRMs are in the level 4.

MES - Manufacturing Execution System

Once all levels are defined, how can we protect an industrial enterprise? The bottom levels can be secured with an Intrusion Prevention System (IPS) with industrial signatures which block attacks against communication protocols (e.g. Modbus, PROFIBUS, Conitel, etc) while the up levels can be secured with Application Control and Web Filtering. In addition, I would like to highlight the importance to segment the network into zones.

FortiGate Rugged

Keep learning and keep studying my friends!! All comments are welcome.

8 April 2019

A Forensic Challenge



I finished the training on Networks, Systems, Hacking and Forensics last week where students have learned a lot about Security, or I think they have learned a lot! This last course about Forensics has been funny because three challenges have had to be resolved by students. The first one was interesting for reinforce the importance of looking at metadata. The second one was a little bit more difficult, which used steganography techniques. I have to admit the third one is difficult for a newbie because it contains a mix of steganography and obfuscation techniques.

The last challenge is about steganography and obfuscation where students have checked the image metadata, hex dumped the file contents and extracted a hidden zip archive. They also have had to look at the start of the file, the end of the file and the middle of the file to extract another file. Finally, students have had to read about esoteric programming language to look for the final flag.


There are lots of CTF (Capture The Flag) challenges on the Internet which are useful for learning about hacking and forensics. You just have to keep studying, reading books and learning what you want!

1 April 2019

MLAG vs vPC vs Stacking



I’m working these days with Mellanox Switches, which I think they are awesome because, thanks to the Spectrum ASIC, these switches provide low latency, zero packet loss, and non-blocking traffic. In fact, it’s one of the first manufacturer I know with 400 GbE interfaces. I mean, one network interface at 400 Gbps. It’s amazing. In addition, Mellanox switches support the RDMA over Converged Ethernet (RoCE) technology which is a great benefit for Hyperconverged Infrastructures (HCI).

Mellanox SN3510 with 6 QSFP-DD 400GbE

Once they are installed, it’s time for network configuration. I’m right now thinking about clustering and I’m also looking for the best technology to deliver high throughput. I’ve already written about Multi-Chassis Link Aggregation (MLAG) and I think this will be the best technology to configure a clustering of switches with high throughput. MLAG is a non-standard protocol which is useful to create port groups between switches of the same vendor. We can create LAGs to servers from different switches. Therefore, the MLAG technology is recommended for high availability and high throughput.

Multi-Chassis Link Aggregation

Maybe, if you know Cisco, you are thinking about Cisco Nexus vPC. This is also a great technology for clustering switches where we can create Link Aggregations (LAG) between two switches. In addition, switches keep control planes separated thus better performance is delivered. However, Cisco Nexus vPC is a Cisco specific protocol which can’t be configured in other kind of switches.

Cisco Nexus vPC
 
At a first glance, MLAG and vPC is the same. Both are able to create Link Aggregations (LAG) between two switches and both are managed and configured independently but they are not really the same. For instance, MLAG is easier to configure than vPC because MLAG concepts are the same in all platforms while vPC is a vendor technology with their own concepts. In addition, MLAG mainly enables Layer 2 multipathing while vPC enables Layer 2 and Layer 3 multipathing. However, if we want to enable Layer 3 multipathing, we could also use the Multi-Active Gateway Protocol (MAGP).

On the other hand, stacking is a well-known technology which is useful for an easy configuration of switches because all switches can be configured from an unique point of management interface. Thus, there is only one management plane. In addition, the stacking technology is able to create Link Aggregations (LAG) between switches like MLAG and vPC does. However, there are much more limitations in the stacking technology than in the MLAG or vPC technologies. For instance, there is always a limited number of switches that can be added to the stack. What’s more, it’s not able to stack remote switches which are geographically separated. Therefore, stacking makes sense for the edge of smaller sites while MLAG or vPC make sense for the core or distribution layer.

Stacking
 
To sum up, there are three types of technologies to create Link Aggregations (LAG) between switches to servers. MLAG, vPC and Stacking. Which one to choose? It’s up to you.

Keep learning and keep studying my friends!! Any comments are welcome.
Related Posts Plugin for WordPress, Blogger...

Entradas populares