Ads 468x60px

16 September 2019

No Logo



I have just finished reading a book about brands. All of us know lots of brands. Most people want brand’ shoes, brand’ jeans, brand’ shirts, etc. We want brands because we think brand’ stuff is much better than other stuff which nobody knows. We are willing to pay more for a brand’s shoes than for another shoes that nobody knows. As a result, companies spends lots of money in advertising campaigns. They even pay to celebrities, such as Michael Jordan or Cristiano Ronaldo, lots of money to make advertising campaigns.

Celebrities also take into account they are working for these companies. Therefore, they have to speak very well about these brands and they have to wear the clothes for which they are sponsor. I remember a press conference where Cristiano Ronaldo showed off again and again a luxury diamond watch. I think he scratched his face and his lips from time to time just to show the “amazing” watch. However, famous people also have to be careful about what companies they are sponsor because some of them could ruin their own personal brand.

Luxury diamond watch

Superstars could ruin their own personal brand when they support manufacturers which make products without taking into consideration the workers’ rights and human rights. Companies increasingly make products in east countries such as China, Vietnam or Indonesia where workers earn very little money. In addition, these factories don’t have the minimum security measures. They don’t have a well air condition and hygiene. Consequently, people work in high risk factories and they work lots of hours for a low wage.

Bangladesh factory collapse

There are lots of east people who work in bad working conditions and this is the main reason why we can buy products very cheap. Mainly, U.S. companies have the idea and invest in them, european people work for the idea, and finally, east workers manufacture the product. However, working for a low salary is also increasingly usual in west countries. There are not factories and there are not enough jobs for everybody. Therefore, west people have a low salary and these people buy cheap products, which are make in east factory with low wages. It’s a dangerous virtuous cycle.

Wealthy people is getting richer and poor people is getting poorest. Thereby, there are people who have realised we have to do something. There are demonstrations and strikes in front of malls. There are billboards which are destroyed or repainted. There are even foundations, such as Adbusters Media Foundation, which fight to counter pro-consumerist advertising. It's up to you if you want to fight for your rights.

Adbusters cover

To sum up, companies no longer manufacture products but brands. Most people want brands and we want to buy cheap things. Companies have outsource the manufacturing process and most factories are in east countries. We don’t bother products are made by people who work lots of hours for a low wage, or we don’t want to know about it. It’s time to thing about consumerism.

Regards my friends. A nice book, like this one, can change your mind!

9 September 2019

Asymmetric Encryption Algorithms



I remember a security administrator who told me he couldn’t enable encryption in a site to site VPN because the firewalls couldn’t encrypt high throughput traffic. He said the firewalls didn’t have enough CPU for VPN data encryption. Obviously, those firewalls weren’t well sized for his requirements. Encryption needs powerful CPU and/or powerful cryptographic cards but it also requires to choose the right cipher suites. Maybe, this security administrator didn’t have a good firewall to encrypt the site to site VPN but, maybe, he didn’t know either there are several encryption algorithms, and if they are configured properly, you will be able to get what you want.

I learnt at University how public-key cryptosystems work. It’s easy to understand. There are two keys. A public key and a private key. The public key is well-known for everyone. It’s like an open padlock. However, the private key is only known by the owner. It’s like the key to open the padlock. Therefore, when someone wants to send something encrypted into the padlock, only the owner can open the padlock and read the message. RivestShamirAdleman (RSA) is one of the first public-key cryptographic system and it’s the most used for data transmission.

Public Key Encryption

There is an alternative to the RSA. It’s the Digital Signature Algorithm (DSA). This algorithm was developed by the U.S government and it has the same security degree as RSA. However, it employs different mathematical algorithms for signing and encryption. DSA is also an asymmetric encryption scheme, like RSA, and it’s faster for signing but slower for verifying. Therefore, DSA is not a good choice if there is performance issues on the client side.

Diffie-Hellman is another algorithm I've learned, but this one, while I've been working with Virtual Private Networks (VPN). It’s an asymmetric algorithm useful to determine a secret key between peers. Firstly, peers agree to use a key, which could be listen by an attacker. Secondly, they use a private secret key, which is only known by each of them. Finally, these two keys are used to get a new one, which is the final key for the encryption process. This final key is, computationally speaking, difficult to get by an attacker.

Diffie-Hellman Key Exchange

These three algorithms are well-known by most security engineers. However, Elliptic Curve Cryptography (ECC) or Elliptic Curve Digital Signature Algorithm (ECDSA) is increasingly used because ECC cryptography provides much strong security than RSA or DSA with smaller keys. Therefore, ECC cryptography is the best option for mobile devices due to the fact that it requires less computational overhead.

Elliptic Curve Digital Signature Algorithm

On the whole, when you are going to configure encryption for whatever, it’s better to know what algorithm fits with your architecture because if you don’t choose the right one, the network performance could be degraded.

Regards my friends. Have a nice day!

2 September 2019

F5 BIG-IP - vCMP



Virtualization has lots of advantages and this is the main reason why most services are already virtualized. I didn’t know anything about virtualization when I finished my degree at University but later on I started working as a system administrator where I learnt about virtualization with XenServer and VMware. I realised the powerful of virtualization. Most web servers and applications were virtualized which was easier to manage. Today, there are Virtual Networks Everywhere thus firewalls, load balancers, etc are also virtualized.

I still remember the first time I installed and configured a pair of Radware Alteon 5224 XL. It was five years ago. It is an appliance which supports virtual load balancers. Therefore, I created load balancers instances in the Radware Hypervisor. However, I’m right now in a new project with a pair of F5 BIG-IP i5800 where we are going to configure load balancers instances in the BIG-IP. Both vendors have hypervisors for virtualization but with different concepts. For example, virtual load balancers are called vADC instances in Radware while vCMP guests in F5.

Radware ADC virtualization infrastructure

vCMP or Virtual Clustered Multiprocessing is a feature of BIG-IP where we can deploy several instances of BIG-IP in a hardware platform. Therefore, we can allocate CPU, memory and disk to a virtual machine which run the TMOS operating system. This is useful because we can have a virtual machine for each application. For instance, a virtual machine for eCommerce, another for Oracle, etc. If we have to upgrade firmware for whatever in an application, we can do it without service interruption in another application.

Example of a four-guest vCMP system

You maybe are wondering how networks are configured. There is a true multi-tenant environment where guest administrators can’t configure layer 2 settings thus it has to be configured by the host administrator. Therefore, the host administrator have to configure VLANs and Trunks while guest administrators will configure the layer 3 settings such as Self IP Addresses, Virtual Servers, etc. It’s important to highlight the management network can be isolated or bridged between guests. However, it’s highly recommended to configure the management network in bridge mode.

Isolation of network objects on the vCMP system

When you are planning to configure vCMP in a BIG-IP appliance, or in a VIPRION chassis, you should take into account the amount of CPU and Memory you have for guest instances because it is limited. For example, if the hardware appliance has 8 cores and 48 GB RAM, we won’t be able to allocate more hardware than that. In addition, once the guest instance is running, we can’t allocate more CPU or Memory to that instance because it’s already deployed. If we want more CPU or Memory, we’ll have to stop the guest instance for reconfiguration.

Three guests with varying amounts of core allocation
 
To sum up, vCMP is an interesting feature to run hosted instances of the BIG-IP software on a single hardware platform. Once the instance is running, we’ll configure the guest as any other BIG-IP. For example, it’s interesting to configure an active-standby cluster between instances because there is no high availability configuration for hypervisors.

Regards my friends. Go ahead!!

29 July 2019

Seven years ago ...



Seven years ago I was in my chair like today I do. Thinking about what I could write in my recently opened blog. I wanted to write something about networking and security but I didn’t know exactly what to write. The goal were writing because I wanted to improve the writing skill which was needed to pass the English exams at Official School of Languages. In the beginning, I wrote in Spanish because writing was a hard-working task for me. However, I ended up writing in English because it’s better for improving the writing skill in English language.

Writing is not the only skill I wanted to improve but also the reading skill to get new vocabulary. Therefore, I try to get time for reading books. For instance, I’ve been reading many books in the last year such as Factfulness, The Art of Intrusion or Inside Soviet Military Intelligence although I’ve also read the Cyber Strategy of the U.S. of America and Aprendiendo de los mejores. Actually, I love reading and I’ve even been reading the Revue Stratégique Cyberdéfense de France.

Writing and reading are important skills to improve languages but speaking is also very important. I don't speak a lot in English language in my job, just from time to time, but I’ve had the lucky to provide Training on Networks, Systems, Hacking and Forensics in the last year where I’ve able to improve the speaking skill in my native language. I think students have learnt many interesting things such as Buffer Overflow Attacks or Fileless malware forensics. In addition, I’ve been in a high school to make an speech Security on the Internet for teenagers.

I think the training courses were interesting because we’ve deployed, installed and configured many tools. For instance, we configured L7 DDoS Mitigation, CSRF Protection, XXE Protection and Bot Protection with F5 BIG-IP ASM. In addition, I’ve tested with SSO Authentication, Portal Access & Webtops, and SSO for Terminal Services with F5 BIG-IP APM. The new version 14.0 in BIG-IP added lots of features and improvements such as the new HTML5 Dashboard or the Threat Campaigns Subscription.

During the last year, the new version 6.2 in FortiOS has also been released. It’s amazing the amount of new security features that have been improved. Security Fabric, SD-WAN, Inspection modes, WIFI6 are only some features improved. In addition, I’ve installed security appliances such as FortiSwitch, FortiSandbox and FortiWeb as well as I’ve configured two FortiGates in a VRRP domain.

This last year has been rewarding because I’ve also been working with networks. I’ve studied about Cisco Nexus such as vPC, FabricPath, Fabric EXtender (FEX), etc. I’ve installed Mellanox switches where I studied about RDMA over Converged Ethernet (RoCE) and Data Center Bridging (DCB). What’s more, I’ve been reading and studying about Outdoor Wireless Link to know the Fresnel zone, channel width, signal-to-noise radio (SNR), EIRP, etc.

Regards my friends. I'm delighted. It's time to rest. It's time for a holiday.

22 July 2019

Outdoor Wireless Link



I studied IT engineer in Extremadura where I had to take lots of maths subjects. I also took subjects about application development and operating systems. All of them were interesting. However, today, I’m mainly working with networking and security. I only took one subject about security, it was optional, and I also took two subjects about networking, but I think it’s enough to take the plunge to do networking and security projects because we have to keep studying day in day out. For instance, I didn’t take any subject about Wireless Links but I had to study how they work and how to configure them.

I’ve already had the luck of working on two projects about Wireless Links. One of them was to broadcast free WiFi in a small town and the other one was to connect several buildings in the middle of the countryside. Two interesting projects. These days, I’m working on a new project to connect two buildings because there is no Internet connectivity in one of them. Therefore, I have to plan an Outdoor Wireless Link where I have to take into account the distance between buildings as well as the Line of Sight (LoS), Fresnel zone, fade margin, frequency, channel width, signal-to-noise ratio (SNR), etc.

Outdoor Wireless Link

There are software which are very useful for planning outdoor wireless links such as Radio Mobile and AirLink. These software help us to choose features such as frequency, channel width, etc. For instance, we’ll have to choose a free frequency or a licensed frequency. If we want to use a free frequency in 2,4 GHz or 5 GHz, we’ll have to configure an EIRP accordingly to the country where we are going to install the wireless link. However, if we want to use a licensed frequency, we’ll have to require that license to the government.

AirLink

These software also help us to know if there is Line of Sight (LoS) between sites. This is very important because LoS allow us to know if the wireless link will be successful. However, if there is no LoS, we won’t know the wireless link performance during the planning phase. For instance, if there is a partial obstruction with a mountain, there could be attenuation, reflection or refraction. It’s also important to highlight how low frequencies can propagate to great distances with little attenuation.

Line of Sight - LoS

When we are going to choose an access point to install a wireless link, we also have to take into account what is the network going to be used for because VoIP traffic has not the same network requirements than Data traffic. For instance, VoIP traffic needs 50 PPS while Video streaming traffic needs 1000 PPS.

TCP-IP Packet
To sum up, there are lots of technical features we should know before installing an outdoor wireless link. The Line of Sight, frequencies, channel width, etc should be studied carefully to install a wireless link successfully. Therefore, if we want an efficient and reliable wireless link, we’ll have to study these concepts at University or by ourselves.

Regards my friends. Drop me a line with the first thing you are thinking!

15 July 2019

FortiWeb - SQLi Test



I’ve already written a lot about Web Application Firewall (WAF). I think these appliances are useful for securing web applications in layer 7 from sophisticated attacks such as XXE attacks or CSRF attacks. In fact, I’ve already deployed, installed and configured several WAF appliances such as F5 BIG-IP ASM and AWS WAF. However, I had never deployed, installed and configured the Fortinet FortiWeb WAF appliance till last week.

Fortinet FortiWeb is a Web Application Firewall which has many more web security features than Fortinet FortiGate to block Web Application Attacks. For instance, FortiWeb can be configured with Machine Learning to protect web applications from known and unknown exploits. Therefore, FortiWeb defends applications from known vulnerabilities and from zero-day threats. I think, FortiWeb is easy to manage and configure like any other Fortinet family appliance. In addition, Fortinet Security Fabric can also interoperate with FortiWeb.

There are lots of network topologies to deploy a WAF. On the one hand, we should always deploy a WAF after the Network Firewall, so that WAF is between the firewall and web servers. WAF and IPS are not the same. Most network firewall have an IPS which is useful to block layer 3 attacks such as IP Spoofing Attacks or DoS Attacks. However, WAF is useful to block layer 7 attacks. Therefore, we should block layer 3 attacks before layer 7 attacks.

FortiGate + FortiWeb

On the other hand, we should deploy a WAF before the load balancer, so that WAF is between the load balancer and the clients. There are two main reasons for this deployment. Firstly, we don’t have to balance WAF devices thus we’ll balance real servers. Secondly, HTTP requests will correctly appear to originate from the real client’s IP address, not (due to SNAT) your load balancer.

FortiWeb + FortiADC
 
These are two recommendations for planning the network topology. However, we have to take into account another one. We should know the router mode and the one-arm mode. The router mode is the topology where real servers gateway is the WAF, therefore, there is no SNAT but we need a new network to deploy the WAF between real servers and the network firewall. The one-arm mode is easier to deploy because we don’t need a new network but SNAT configuration is required, therefore, the X-Forwarder-For (XFF) header have to be enabled to know the client’s IP addresses.

One-arm mode topology
 
FortiWeb is easy to configure and manage. If we want to configure a basic security policy to defend a web application, we’ll have to configure a server pool, a virtual server and a server policy. Firstly, the server pool is the real servers which are going to be defended. Secondly, the virtual server is the WAF IP address which is going to listen HTTP/S requests. Finally, the server policy is the security configuration to defend the server pool in the virtual server IP address. For instance, we can watch a basic security configuration in the next video to defend a web application from a SQLi attack.


select * from users where LAST_NAME = ‘” + userName + “’”;
select * from users where LAST_NAME = ‘Lim’ OR ‘1’=’1’”;

Regards my friends. Have a nice day!

8 July 2019

DNS and Web Filtering



Internet works with IP addresses but nobody learn the web server IP address, instead, we learn the domain name. It’s like the telephone number, nobody learn the number, instead, we search into the contacts list. As a result, the DNS service is very important for most companies. Actually, this service has to be always available and the response time has to be quick. In fact, if the root domain servers were shutdown, most people would think there is no Internet.

The DNS service is used by most people as well as by most computers for machine to machine communications. However, it’s also used by most malware which could request domain names similar to the original one or could request domain names totally different and difficult to remember as DGA malware do. For instance, Zeus and Cryptolocker malware use DGA to connect to the C&C server and, thanks to this algorithm, they can bypass security policies such as IP reputation policies.

Malicious Domain Name

There are lots of security websites which helps us to look for domain names to know if a domain name is malicious or it’s a good one. For example, Open Threat Exchange (OTX) is a website where we can search Indicators of Compromise to have a full description of the attack. VirusTotal is well known by most security engineers where is easy to look for URLs or upload files to know if they are suspicious or infected. Another interesting website is FortiGuard where is also easy to look for domain names and IP address. All of these websites are useful for malware forensics.

Open Threat Exchange (OTX)

The security websites are useful for malware forensics. However, if we are surfing these websites, it's probably because the attack or the infection is already done. It's late. Therefore, companies should install security appliances which are able to analyse DNS requests and responses to look for suspicious domain names. For instance, this kind of service can be configured in FortiGate devices where we can block DNS requests and responses by categories such as malicious domains, phishing domains, social networks domains, etc.

DNS Filter

There are also security appliances which are able to analyse HTTP requests and responses to look for suspicious websites. When the computer requests a website, the computer has already requested the domain name for that website. Therefore, it would be better to block the DNS request because it’s done before the HTTP request. However, web filtering services are also useful because we can analyse the content of a website. We can analyse inside the website to look for downloaded malware. In addition, we can even analyse HTTPS traffic where lots of malware is downloaded or C&C communications are done.

Web Filter

DNS filtering and Web filtering are mandatory for most companies where there are users with Internet access. However, there are medium and big companies where is also useful DDI appliances for a better DNS, DHCP and IPAM management. This kind of appliances are also able to analyse DNS requests to look for malicious domain names. In addition, DDI appliances are able to make reports useful to know what endpoints are infected.

DNS-DHCP-IPAM (DDI)

Regards my friends. Keep studying!!!

1 July 2019

Inside Soviet Military Intelligence



I’ve finished the French Language course thus I’ve started reading books again. Actually, I’ve been reading Inside Soviet Military Intelligence by Viktor Suvorov these last two weeks because I’ve been less stressed and I’ve had more free time for reading, sports, beers, etc. Therefore, I’ve been reading this interesting book where I’ve learned how the Soviet Intelligence worked, what was the hierarchical organization structure, how they got illegals, etc. I think, this is an interesting book because the Russian Military Intelligence is one of the most powerful intelligence services of the world.

The book was written in 1984 and we can read the history of the KGB and the GRU, agent recruiting, agent communications, tactical reconnaissance, etc, etc. I’ve read about two Russian security agencies which main functions were foreign intelligence and counter-intelligence. This amazing and secret world has many activities which civilian people will never think. For instance, we have known recently Skripal and his daughter were poisoned with Novichok, maybe, by the GRU.

I’m sure there are many illegal activities out there where intelligence services get whatever they want. No matter how they get it or what they have to do. The aim is getting information and achieving the goal successfully. This is an useful book to know another world. I recommend you reading this book if you really love the intelligence services.

Regards my friends. Keep reading!!!

24 June 2019

French Language



I’ve finished the first course for the B1 level in French language last week. I’m glad to say I passed the exam. However, this course has been a little bit more difficult than the last course. Obviously!! It’s an intermediate level instead of basic level. I think it has been more difficult because I didn’t spend enough time studying. This year, I’ve had less time to study French language than the last year. Therefore, I haven’t trained very well the writing, listening, speaking and reading skills. Nevertheless, I got good marks. Not very good marks but good marks.


I got 8,5 in the listening skill which is very good. I keep listening the France Info radio each time I’m taking a shower. In addition, I’ve done many listening exercises in the website apprendre.tv5monde.com as well as I downloaded lots of listening exercises and exam examples from Official Schools of Languages such as the school of Andalusia, Canary Islands or Galicia. What’s more, I’m not used to listening the radio while I’m driving my car but I listen tracks about how to say some sentences in French language. All of these have been enough to pass the listening skill.

I think speaking in French language is one of the most difficult skill because it’s hard to train and it’s difficult to know if you are speaking well or you are making lots of mistakes. It’s also difficult because I usually speak in Spanish language with everybody and I only speak in French language when I’m at school or I meet up with my classmates. Finally, I’ve passed the speaking skill with the score of 7,5 thanks to Vaughan Bonjour! where I spoke alone in my house. Yes, it’s true. I’ve spoken and repeated alone everything I heard from Vaughan Bonjour!

The reading skill is an easy skill due to the fact that understanding all words and sentences are not needed. In addition, there are French words which are written similar in the Spanish language. Therefore, it’s usually easy to understand texts in French language. In fact, it’s an skill almost everybody passes. I haven’t read a lot for this course. I’ve only read a few documents such as the Revue Stratégique Cyberdéfense de France, which is really interesting. However, it has been enough for passing the exam with an 8 score.

The most difficult skill for me is the writing skill and this is the main reason why I’m writing in this blog. When I was studying English language, I wasn’t able to pass the writing exam properly. Sometimes, I had to retake the exam. As a result, I opened this blog for improving the writing skill. Thanks to this blog and all the documents I’ve written, I’ve got an score of 6,75.

This year, there has been a new skill which is about mediation. For instance, we have a document with pictures and texts where we have to write and explain to someone what are the best dates for buying flights or how to arrive somewhere. I got an score of 7. Not bad!!

Regards my friends. Keep learning languages because it also improves your brain!!

17 June 2019

What’s new in FortiOS 6.2



You already know that I like reading and testing new features. I wrote about What’s new in FortiOS 5.6, What’s new in FortiOS 6.0 as well as What’s new in BIG-IP version 14.0. Therefore, I’m going to write about What’s new in FortiOS 6.2 where there are lots of new features and interesting enhancements for security engineers. Right now, I usually install FortiOS 6.0 for production firewalls but I think it’s good to know the new features and enhancements because, maybe, we’ll require these new features in the future.

Security Fabrics are increasingly useful when we have more than one Fortinet appliance. For example, FortiOS 6.0 was already able to integrate the firewall with many Fortinet appliances. Consequently, we can see interesting information from FortiView. However, FortiOS 6.2 is also able to integrate the firewall with more Fortinet appliances such as FortiMail and FortiWeb. In addition, there are more FabricConnectors available such as connectors for IP Addresses, Malware hashes and Multi-Cloud.

Security Fabric

SD-WAN is another feature which is getting better. We can already configure an IPsec VPN tunnel with more than one WAN interface against another FortiGate to make an Overlay Tunnel. Therefore VPN bandwidth can be increased easily with multiple Internet links. Traffic Shaping is also improved where we can configure shaping profiles with network requirements for applications such as maximum bandwidth or priority.

SD-WAN - Per Packet WAN Path Steering
 
There are another feature I really like. We can configure only one inspection mode in FortiOS 6.0. we have to choose between Flow-based mode or Proxy-based mode. However, if we want to enable the Web Application Firewall, we’ll need to enable the Proxy-based mode but if we want to configure firewall policies by applications, we’ll need to enable the Flow-based mode. Therefore, we can not have both features, WAF and firewall policies by applications at the same time. FortiOS 6.2 supports both inspection modes at the same time.

Inspection Mode
 
Wireless and Switching improvements have been included in FortiOS 6.2. This new version supports WPA3 and WIFI 6 (802.11ax). For instance, we’ll be able to configure the Transition WPA3 mode which will be useful for wireless networks where there mobile devices that support WPA2 but not WPA3. What’s more, security enhancements have been included to FortiSwitch such as maximum bandwidth and priorities for quarantine VLANs.

Twenty-year timeline of 802.11 standards
 
FortiOS 6.2 have lots of new security features and enhancements which will be very interesting for most companies and security engineers. Today, most FortiGate firewalls run with FortiOS 6.0 but they will run FortiOS 6.2 in the near future.

Regards my friends. Have a nice day ;-)

10 June 2019

Operation Sharpshooter



I would like to learn more and more about how latest malware work. In fact, from time to time, I read about what are the techniques they are using to exploit operating systems and get the information they are looking for. I like this kind of information because I think it’s useful for my job. Firstly, it’s useful because we are updated about the latest vulnerabilities and this is a best practice. Secondly, it’s useful because we can protect services better when we know how attacks work. Finally, it’s funny and rewarding to know how malware work.

Today, I’m going to write about the Operation Sharpshooter which is one of the latest malware campaign. This operation uses the malware Rising Sun against critical infrastructures, government and finance such as nuclear power stations, banking, electrical companies and the army. This malware is similar to the backdoor Duuzer because both decode and exfiltrate the information in the same way. Security researchers think the Operation Sharpshooter come from the Lazarus Group.

How this operation work? Firstly, they get lots of information about people who work in the company they want to attack. Secondly, they send a malicious document to victims about a new and better job. Thirdly, victims open the malicious document which execute a shellcode. This shellcode download the malware Rising Sun and a decoy document. Finally, the malware get lots of information, such as operating system, computer name, IP address, and send this information encrypted to the control server.

Infection flow of the Rising Sun implant, which eventually
sends data to the attacker’s control servers

Actually, I’ve seen many operations like this where social engineering and spear phishing are the ways of inserting malware in the organization. However, this kind of operations are increasingly persistent and directed to some companies. Therefore, it’s more difficult to detect these campaign. For instance, we already know about this operation, against some critical infrastructures, but we don’t know yet what is the goal of getting and exfiltrate this information.

Thanks for reading my blog!! If you know books about malware, write it down in the comments!
Related Posts Plugin for WordPress, Blogger...

Entradas populares