Fortinet FortiSwitch - Secure Simple Scalable

There are several challenges at the access layer today. On one hand, the number of devices is getting bigger and bigger. On the other hand, threats are increasingly complex and breaches more common. In addition, IT management is complex and personnel is scarce and expensive. Therefore, legacy Ethernet LAN’s are at capacity, standard network designs have to add a new security layer and the complexity increases time to resolve issues. Fortinet Fortiswitch helps us to deploy and manage a secure simple scalable model to address Ethernet access.

Most network administrators want to manage the whole network easily. They have lots of switches to manage and they also want visibility of what just happened. This is really difficult to achieve when we use the CLI, instead, we should use a network controller with GUI like FortiGate. Thanks to FortiLink, we can manage Fortinet switches and Fortinet access points from a unique web interface centrally. What’s more, FortiLink works at layer 2 and also at layer 3, which means, we can manage FortiSwitches from the FortiGate controller when they are in the same network (L2) but also when they need routing (L3) to reach each other.

FortiSwitch Deployment Options

There are lots of topologies we can deploy with FortiSwitches. We can deploy a basic one with a single FortiSwitch or a much more complex topology with MCLAG pairs and FortiGate HA Active/Passive cluster. When we deploy a FortiGate HA pair and multiple switches in star topology, we can configure an active FortiLink and also a standby FortiLink for redundancy. However, if we deploy a ring topology, we’ll see easily from the Security Fabric what is the InterSwitchLink (ISL) which is in STP discarding state.

FGT HA A/P with Two 1st-tier MCLAG Pairs

The Security Driven Networking enables a convergence of security and network access, thus, it extends security to the access layer. For instance, switches and APs can automatically quarantine a malicious device at the access layer to minimize attacks. We can also configure micro-segmentation to avoid spreading attacks over the LAN. Dynamic VLAN assignment or 802.1x policy are another two security features really useful which can be applied to FortiSwitches from FortiGate.

FGT NAC Policy

Managing switches and APs from FortiGate is great but when we have a lot of devices to manage, we need something else. FortiManager helps us in large scale deployments because we can assign templates, authorize, restart and upgrade easily all managed switches. In addition, we can assign VLANs and port properties such as 802.1x policy, PoE, DHCP Snooping, STP properties, IGMP Snooping, etc. Therefore, FortiManager is the best solution for large deployments.

FortiSwich Manager Module - Managed Switches

To sum up, network administrators are scarce and expensive, and most of them have lots of tasks to do daily. They want an easy way to manage all access devices from a single web page. In addition, security is already a must in the company. From my point of view, FortiSwitches is a good solution for all of them.

Regards my friends! How are you managing your switches?

F5 BIG-IP APM – Configuring App Tunnels

I really like F5 BIG-IP APM because it has lots of use cases. We can use APM as a secure portal access with lots of resources such as SAML Resources, Webtop Links, Single Sign-On configuration, etc. We can also use APM as a SSL VPN in web mode or tunnel mode. In addition, thanks to the Visual Policy Editor (VPE), it's really powerful and easy to configure applications access from a security perspective.

This week, I’ve been working with the application tunnel feature where I’ve had to configure access to several apps through a tunnel. We didn’t want to use a Network Access, thus, the application tunnel fits the requirement. Therefore, we can watch in the next video how to configure a basic app tunnel to access to the F5’s management interface. However, this configuration is the same for other internal resources such as SSH or Webmail services.

Regards my friends! Did you know the App Tunnel feature?

F5 BIG-IP DNS - Topology Load Balancing

I’ve already written about Data Center Load Balancing where I have even recorded a video with the F5 BIG-IP DNS configuration. I’ve also written about DNS Load Balancing, DNS Security, DNS over HTTPS (DoH) & DNS over TLS (DoT) and how to configure DoH and DoT with F5 LTM. However, I think I still have to learn a lot about this interesting and needed protocol that’s why I’ve been testing the topology algorithm in F5 BIG-IP DNS these weeks.

In fact, I’ve recorded a new video where you can watch how to configure F5 BIG-IP DNS for Global Server Load Balancing (GSLB). Firstly, I’ve created two nodes, two pools and two virtual servers where each of them could be a service hosted in different data centers. Secondly, I’ve created the DNS configuration such as the Wide IP with two pools, Data Center, Server, DNS listeners, Regions and Records. Finally, I’ve tested the configuration where you can watch how F5 DNS resolves DNS queries according to Regions and Records.

 

Actually, there are lots of ways to configure services in high availability using more than one data center. F5 BIG-IP LTM device and BGP protocol allow us to send traffic to several data centers for high availability but F5 BIG-IP DNS is also another way which allows us to configure a genuine GSLB topology.

Regards my friends! How do you design services in high availability between data centers?

Troubleshooting latency by capturing traffic

When someone has network issues such as high latency, packet loss or high jitter I always like using Wireshark and Tcpdump for capturing traffic. I still remember when I learnt how to use it at University. It was my fourth year studying IT engineering. I also learnt about the TCP Window and the network congestion-avoidance algorithm. When we use Wireshark to analyze a packet capture, it’s important to know the flags, the TCP messages and the connection states to understand and optimize TCP performance.

One of the TCP flags, which is really useful, is the TCP Window Full. If a sender transmits a packet which is filling the recipient’s receive window, Wireshark will report this message. It means the sender is reaching the full capacity of the TCP flow, which is limited by the receiver. However, the network may have higher capacity. For instance, there are older operating systems and less powerful devices that have small TCP buffers which can be increased. On the other hand, systems such as F5 BIG-IP allows us to configure the Send Buffer and Receive Window settings easily from GUI.

TCP Window Full

Another interesting flag that we can see when there are performance issues is the TCP Zero Window. This flag is used to tell the TCP sender to stop sending traffic due to the fact that the receiver’s buffer is full. Therefore, the sender is delivering traffic faster than the receiver can process it. If a device advertises Zero Window, we should check the peer flow which usually indicates that throughput is limited by the peer flow. We should also check the system performance because if it is heavily loaded, the system itself can introduce delay.

TCP Zero Window

There is another TCP flag that we can often see when we analyze a packet capture. The TCP Retransmission flag means the ACK packet has not been received within the timeout interval (known as the retransmission timeout or RTO) thus the sender has to retransmit the packet again. This flag indicates network loss but it may not always be an issue because TCP is designed to increase throughput until loss is observed to estimate network capacity.

TCP Retransmission

When we see the TCP Retransmission flag, we can also see the TCP Duplicate ACK message. This message is part of a failure recovery mechanism called TCP Fast retransmit. A duplicate ACK is sent when a receiver receives out-of-order packets. Upon receiving the out-of-order packet, the receiver starts sending duplicate ACKs so the sender would start the fast-retransmision process. It indicates packet loss but this behaviour may not be an issue because TCP is designed to work like that.

TCP Duplicate ACK

To sum up, we should understand how TCP works as well as TCP flags and messages for troubleshooting network issues. Wireshark and Tcpdump will help us to analyze a packet capture. Finally, we will have to configure devices with the right settings for better network performance.

Regards my friends! Do you usually analyze network traffic?

F5 AWAF - Preventing Session Hijacking

I’ve been focused these weeks in preventing session hijacking attacks with F5 BIG-IP AWAF where I’ve had to create a security policy to block this kind of attacks. First of all, it’s important to highlight that this kind of attack is really critical because an attacker can compromise the session token by stealing or predicting a valid session token to gain unauthorized access to the web server. However, from my point of view, session hijacking attacks are not so easy to carry out. Actually, the session token could be compromised in different ways but none of them are easy to carry out. The most common are predictable session token, session sniffing, client-side attacks (XSS, malicious JavaScript codes, trojans, etc), man-in-the-middle attacks or man-in-the-browser attacks.

F5 BIG-IP AWAF mitigates the session hijacking attacks with a JavaScript challenge to obtain a unique device ID which represents the client device. This device ID is encrypted and stored into the ASM cookie which is sent by the client in each HTTP request. Therefore, the BIG-IP AWAF issues the JavaScript challenge to test the validity of the device ID in each HTTP request and if the result of the challenge is different to the device ID stored and encrypted in the ASM cookie, the system will consider the request to be an attack.

Configuring session hijacking protection is really easy in BIG-IP AWAF. Firstly, we have to enable Accept XFF in the HTTP profile when clients are behind an internal or other trusted proxy. Secondly, we have to enable the session hijacking feature which enables the system to send the JavaScript challenge, thus, the security policy blocks client browsers that do not support JavaScript even when the security policy is in transparent mode. Finally, we have to enable blocking modes for session hijacking violations such as “Modified ASM cookie”, “Modified domain cookie(s)” and “ASM Cookie Hijacking”.

I would like to share with you two videos where we can watch how we can configure session hijacking protection with F5 BIG-IP Advanced WAF (formerly ASM). I think these two videos explain really well what a session hijacking attack is, thanks to the hackazon virtual machine, and how to enable the session hijacking protection in F5 AWAF. The first video shows how to block a modified domain cookie while the second one shows how to block an ASM modified cookie.

What’s more, F5 has acquired Shape Security and Volterra recently to sell SaaS security services. As a result, F5 has created a new feature called Device ID+ which is similar to Device ID but the new one is delivered from the cloud and it uses machine learning to assign a unique identifier to each device visiting the web site. All customers have access to this service for free up to 20 millions of devices. Therefore, we should take into account that Device ID+ is not the same as Device ID. However, Device ID is do the same that “client fingerprinting” which is also used for Bot Defense, Brute Force Protection and Web Scraping.

Device ID+ data flow

Regards my friends! Do you have session hijacking vulnerabilities?