Happy New Year

This year is nearly ended. I’m hear. Writing in my room. Thinking about what I’ve been doing this year. I’m sure I’ve done many things. Lots of them are written in this blog. Some of them will keep in my head. Many other things will be forgotten. This year has been thrilling but with ups and downs. I have to keep only the good things and throw away the bad ones. I think this is the best way to go ahead. I’m lucky. I’ve been working in many projects. I’ve met up many IT professionals. I’ve learnt a lot this year.

At the beginning of the year, I was the teacher of a ethical hacking course and another one about forensics in Merida where students learnt many hacking and forensics techniques such as fileless malware forensics. I also installed and configured two pairs of Mellanox Ethernet Switches in a datacenter with 100 Gbps links. Thanks to this project and these datacenter switches I learnt about RDMA over Converged Ethernet (RoCE). In addition, I was studying about Cisco Data Center technology such as Cisco Nexus vPC or Cisco Nexus FabricPath.

Before summer, I was studying a lot about French Language and I passed the exams at Official School of Languages. Today, I keep learning French and I would like to pass the B1 level in 2020. I worked in new projects. Mainly, projects about firewalls and load balancers. I didn’t know anything about the ISA-95 levels for Industrial Systems till I worked for a big industrial company. Any step and any change should be documented and notified with a change procedure. Amazing!

Summer was for reading and learning new tech things. I read Inside Soviet Military Intelligence, No Logo and the National CyberSecurity Strategy of Spain. In addition, I installed the RedHunt OS for Adversary Emulation and Intelligence which is useful for testing Red Teams and Blue Teams. I was working almost the whole summer. I was only on holiday for a few days because I had to finish two projects. One project about FortiWeb and another one about F5 BIG-IP vCMP. Both really interesting.

The end of the year has been thrilling and rewarding. We have moved Ariolo Cloud Services from one datacenter to another one which has better facilities. Therefore, the same BGP AS Number in two datacenters has been mandatory. I’ve worked a lot with F5 BIG-IP. You can watch all the videos I’ve uploaded to my YouTube channel. I’ve configured OAuth with Facebook, SAML with AWS and SAML with Salesforce. OAuth and SAML are two protocols I didn’t know, but once I know, I've realised they are really interesting as Multi-Factor Auth for Cloud Applications.

To sum up, this has been a year with lots of projects. I’ve mainly been working in security and networking projects but I’ve also been working with virtualization, storage, systems and cloud computing. Actually, I haven’t had time to get bored.

Merry Christmas and Happy New Year.

F5 BIG-IP APM - AutoLaunch SAML Resources

I think Webtop and Web Access are great to have a Single Sing-On (SSO) Portal. In fact, we can configure a SSO Portal like Google does with applications such as Gmail, Drive, Calendar, etc. Therefore, we can access with a single password in a single web portal to all applications. 
 

We have already known how to configure cloud connectors, such as an AWS Connector and a Salesforce Connector, with SAML in a Web Access. Accordingly, there is a web portal with Webtops which launch SAML resources for SSO access to AWS and Salesforce. However, if we want automatically launch SAML resources and skip the Webtop, we’ll have to make some changes into the configuration.

Visual Policy Editor

 

Firstly, we no longer need Web Access neither Webtops. Thus, we can uncheck these configurations. Secondly, we have to add an iRule to the virtual server hosting the access policy. Finally, we can enjoy the better user's experience.

Best regards my friends. Keep learning!

F5 BIG-IP APM - Setup a Salesforce Connector

I’m working a lot with F5 BIG-IP APM lately. Actually, I’ve been configuring F5 BIG-IP APM – SAML. For example, you can watch in the last post how to configure an AWS Connector in F5 BIG-IP APM. Today, I’ve published a new video where you can watch how to configure a Salesforce Connector in F5 BIG-IP APM. These two videos are really similar but they have helped me to understand how SAML works and how to configure SAML in F5 appliances. 

Best regards my friends. Keep learning!

 

F5 BIG-IP APM - Setup an AWS Connector

I’ve already written about F5 BIG-IP APM – SAML but I also wanted to know how SAML works in F5 APM. I wanted to know how to configure SAML in F5 APM. Therefore, I’ve been testing with the AWS Connector for SAML these days. We can watch in the next video how to configure F5 APM as a IdP (Identity Provider) Service and AWS as a SP (Service Provider). At the end of the video, we’ll watch how users, which are in the F5 database, can access to the AWS console.

Best regards my friends. Keep learning!

Five OSSTMM Security Areas

I heard about OSSTMM five or six years ago at Ariadnex for the first time. I didn’t learn anything about hacking at University. However, I wanted to learn more and more about security. Therefore, I studied for the CISA and CISM certifications. I got it! Today, I’m working as a teacher for IT Security courses. In addition, I work as an auditor on information security. When I work as an auditor, the ISO/IEC 27001 is the best standard for auditing policies, procedures and controls but if I have to test the company, OSSTMM is the best methodology.

OSSTMM has mainly five security areas. Human Security Testing is the first one. Employees are not used to working with a security mindset. They are working in their tasks. Most of the time, they don’t want to know anything about security. Therefore, a social engineering attack give you whatever. A social engineering attack is useful to get sensitive information. This first security area takes into account the personnel security awareness. However, I think social engineering attacks aren’t easy because we have to cheat people.

The second security area is Physical Security Testing. Have you ever steal something? Have you ever gone in a house where nobody told you to go in? This security area assesses access controls, security processes and physical locations. It’s amazing how the OSSTMM tell you equipment is important. “Equipment can range from rope to climb walls to SCUBA gear to travel under water”. I think physical security testing is also very difficult for most people because we’ll have to hide and not make noise for “stealing” sensitive information.

The Wireless Security Testing is the third security area. We are going to test the spectrum security (SPECSEC) thus we’ll have to be near locations. The objectives of this security area are physical and logical barrier testing. In addition, the spectrum security includes electronics security (ELSEC), signals security (SIGSEC) and emanations security (EMSEC). It’s also interesting how OSSTMM tell us we “need to be prepared for the possibility of accidental bodily harm from exposure to electromagnetic and microwave radiation”.

The fourth security area is Telecommunications Security Testing. This security area is within the electronics security (ELSEC) realm where we are going to analyse telecommunications over wires. What are the attack vectors we are going to test? PBX testing, voice mailbox testing, Voice over IP testing (VoIP), etc. We’ll have to know about digital and analog telecommunications.

Finally, the last and fifth security area is Data Networks Security Testing. This is my favourite one because we can attack computer systems and network systems. However, we have to do it with stealthy. We have to avoid disclosure of the tests by operators. It’s easier than the previous security areas and we don’t have to be near the target. Some engineers consider this area as “penetration testing”. Networking knowledge and security testing skills are required in this area for Analysts.

Best regards my friends. Keep reading and keep learning my friends!

F5 BIG-IP APM - OAuth with Facebook

These days I’m working a lot with F5 BIG-IP APM. In fact, I’ve been configuring the SAML and the OAuth protocols. I wrote about F5 BIG-IP APM – SAML last month and I’ve been recording a new video about OAuth Federation with F5 this week. OAuth is increasingly used by companies such as Google or Facebook and it’s useful to share information about their accounts with third party applications or websites. For instance, we can watch in the next video how we can authenticate in a website with a Facebook account. In addition, we send HTTP headers with the username and the provider to the website for the Single Sign-On (SSO) process.

Best regards my friends. Have a nice day!

Tips for a Multihoming BGP network

I’ve written about Same BGP Autonomous System Number in two Datacenters recently because I wanted to connect two datacenters through Internet with the same AS Number. However, I have a new task for these days. I have to add more than one ISP to the datacenter. Therefore, I will have to configure BGP properly for several ISPs, which is an interesting and amazing task. It’s also an advanced routing task because a configuration mistake can shut down Internet to customers. I really love networking.

Connecting to Two or more ISPs

Firstly, it’s important to know how Internet routers view our networks. There are lots of websites on the net which are useful to know how other routers can send packets to our networks. There are even routers where we can access freely with read-only access to run commands, which are also useful to see how Internet routes learn our networks. For instance, there are lots of free access routers in the www.routeviews.org website where we can choose a router, access with the Telnet application and finally run commands.

Route Views Project

 

Once we have accessed to a router, we can run commands. It’s important to know what commands we have to execute as well as we have to understand the output. The show ip bgp command is the best one to know how other routers view our networks. For instance, we can run show ip bgp + network IP address to know how many paths there are from one router to our network. We’ll see all paths and the best path, which is the active path. This command is useful to see the BGP topology database.

BGP Topology Database

 

The BGP topology database or BGP forwarding database is a table where all paths are store. This database is updated by the BGP process and we can search how routers can send packets to every network in this database as well as we’ll know attributes such as metric, local preference, weight, etc. It’s important to highlight BGP topology database is different to the routing table because the routing table only has the best path instead of all path as the BGP topology database does.

Routing Table

 

There is an interesting website I’m used to visiting. The Réseaux IP Européens Network Coordination Centre has lots of resources about IPv4 addresses, IPv6 addresses and autonomous system numbers. For instance, we can see easily from the www.ripe.net website how different routers from Internet see our network. Therefore, it’s easy to see from this website if our network is advertised through several ISPs.

RIPE NCC

 

Finally, if you work as a network engineer, you’ll have to understand dynamic routing protocols such as BGP properly. If you are going to advertise your own routes to Internet, you’ll have to know how the BGP protocol works. If you are not sure what you are doing, the best option is to contact with professional services.

Best regards my friends. Keep learning! Drop a line with the first thing you are thinking!

Así se domina el Mundo

I like reading. I don’t have much time for reading but I like reading at least 10 minutes a day. I’ve needed more than two months for reading the last book, but I’ve finished it. Great!! Así se domina el mundo by Pedro Baños has been the last book I've read. Pedro is a Spanish military and Colonel of the Spanish Army who is specialized in geostrategy, defense, security, terrorism and intelligence. Actually, I didn’t know anything about this man till I’ve read this book. If you like these topics, you can also watch “La mesa del coronel (Cuatro)” where Pedro works as a presenter.

This is a book mainly about geopolitics and geostrategy. These are two concepts I didn’t know very well. Geopolitics is the study of the effects of Earth’s geography (human and physical) on politics and international relations. However, geostrategy, which is a subfield of geopolitics, is a type of foreign policy guided principally by geographical factors as they inform, constrain, or affect political and military planning. Therefore, geopolitics and geostrategy are very important because the world is defined by these two concepts.

If you want to know about geopolitics and geostrategy, you’ll have to study history. The world is like it is today thanks to history. For instance, Crimea was in Ottoman Empire, which recognised the independence of Crimea, but was then conquered by the Russian Empire. During Soviet Union, Crimea was autonomous in the Ukrainian Republic but the Russian Federation wants Crimea goes back to Russia. Today, Crimean people is divided between Russians, Ukrainians, Crimean Tatars, Belarusians, Armenians and others. To sum up, it’s a mess. What’s more, there are lots of mess like this around the world.

We can read in this book some immutable geopolitical principles. These principles are very important to understand why the world and countries make decisions. For example, States are like living being which move mainly by the economy. We can see the trade war between China and US. Both countries are fighting to dominate the world. However, history and allies are also two immutable principles very important in geopolitics.

We can also read some interesting geostrategies in this book. Intimidation is one of the strategies most used by States. We can see how most countries show off military equipment. Russia, North Korea, China, US or even Spain show tanks, fighter aircraft and bombs to intimidate adversaries. However, there are many strategies such as the breaking point or support the division. I’m sure some of them will be well known for you.

In addition, we can read some errors made in geopolitic. Idiosyncrasy is something to take into account in geopolitics because each country and each town is different. There are lots of cultures which has to be taken into account. Religions are also important by lots of people. States can make errors in geopolitics which can be dangerous for the future of the country.

That’s all my friends. If you love geopolitics and geostrategic, you should read this book.

Ariadnex – Deep Network Intelligence

I work at ARIADNEX since 2009. I’ve learnt a lot about networking and security in these 10 years. I’ve had the chance of configuring dynamic routing protocols such as BGP, OSPF or RIP. I’ve installed and configured lots of switches and routers. I’ve deployed security tools such as SIEM, Antivirus, IDS/IPS, firewalls, etc. I’ve analysed lots of security alerts to know what’s happened in the network. I’ve even been a teacher in IT courses on network, security, hacking and forensics. I’ve been able to do many tasks in these 10 years.

I’ve realised when there are issues with the network, such as slowness or traffic is not going through the best route, companies and IT engineers get crazy. When there are complex issues, we need a DEEP knowledge for a DEEP analysis. We’ll need networking and security tools where we can analyse lots of metrics such as sessions, flows, traffic, etc. We should even be able to download the packet to know what’s going on. What’s more, if we want to know what happened in the past, one day or two days ago, we should also be able to download these packets for a better analysis.

DEEP

Most applications use the NETWORK to send and receive data. Today, the network is very important in most businesses. Therefore, networking monitoring is a must in most companies because if there are issues, we’ll need to check how the network is performing. Companies need a healthy and clean network, where data is going through, because the network is the highway of data. If you are an IT engineer and you are worried about your data, network monitoring is your friend.

NETWORK

 

Sadly, there are lots of companies which don’t know what’s going in their networks. They can’t perform a deep analysis either. However, there are companies which do have network monitor or even they can perform a deep analysis but they don’t have the third important concept. INTELLIGENCE. Intelligence is required to know exactly what the monitoring tools is recording. Intelligence is required to know exactly what events and logs are recording. We can add intelligence to the monitoring tools with books, study and expertise.

INTELLIGENCE

 

There are many adversarial simulation tools which help us to know if the network and security monitoring tool is working well. FlightSIM is my favourite one because we can easily generate malicious traffic such as C&C traffic, DGA traffic, spambot traffic, etc. However, there are many others useful adversarial simulation tools such as Caldera, BT3 or DumpsterFire. It’s up to you which one you want to use to know if your monitoring tools detect malicious traffic.

Adversarial Simulation Tool

 

We can perform Deep Network Intelligence from Ariadnex but we can improve this intelligence with a Network Packet Broker (NPB). Gigamon is a NPB which can be used to resend a copy of the traffic to the monitoring tools. For instance, we can send a copy of the traffic to SSL Intercept appliances, IDS/IPS appliances, etc. Therefore, A-DNI along with a NPB will be the next generation monitoring tool at Ariadnex.

SSL Inspection with Gigamon

 

Regards my friends. What do you think?

How many teams there are in your company?

There are companies which has already realised they need security engineers to protect services and the information. These companies have at least one or two people who are in charge of the information security. There are also companies which have employees who work with security standards such as PCI-DSS, ISO 27001 or regulations such as GDPR. These people work with lots of paperwork and they have to check procedures, policies, strategies, etc. What’s more, there are also companies which hire a hacking team to know about bugs, misconfigurations and weaknesses that these companies have in their services. However, there are increasingly more people working in the information security. Today, I’m going to write about three new teams: Red Team, Blue Team and Purple Team.

Penetration Testing and Ethical Hacking are well known by most companies which want to identify vulnerabilities and risks on systems and they also want to know if systems can be compromised easily by an attacker. However, Red Team is a group of people who work as adversaries and they are going to test many environments instead of one or two like a pentester does. In addition, it is usually a multidisciplinary team because members come from IT administration, network engineers, Windows and Unix administrations or even developers.

There are many tools which are really useful for the Red Team. For instance, I wrote about RedHunt last month, which is an adversary and intelligence emulator. RedHunt includes security tools such as Caldera, Atomic Red Team, DumpsterFire or Metta. However, there are many other interesting tools for the Red Team. For example, FlightSIM is a utility used to generate malicious traffic such as DGA traffic, requests to known active C2 destinations, etc. Blue Team Training Toolkit (BT3) is another interesting utility that creates realistic computer attack scenarios. Therefore, there are many tools ready for the Red Team.

On the other hand, the Blue Team is a group of people who work to detect attacks and prevent security incidents. They have to identify attacks and intrusions on systems. They have to be alert for reactive or preventive actions as well as they have to block attacks before they succeed. Therefore, they are going to work along with the Red Team. While the Red Team attacks the company, the Blue Team defends the company.

There are lots of well known tools ready for the Blue Team. Antimalware software is a must for endpoints and servers. Network firewalls are installed in most companies. Web Application Firewalls (WAF) are also installed in many companies. SIEM appliances are increasingly installed in companies which want to get logs for analysis and visibility. The Blue Team is more common in most companies than the Red Team.

I think the Red Team and Blue Team tasks are already well understood. However, there are another team, the Purple Team, which is between the Red and Blue teams. The Purple Team is going to use the defensive tactics and controls from the Blue Team and the threats and vulnerabilities found by the Red Team with the aim of maximizes the knowledge of both teams.

Regards my friends. How many teams there are in your company?

Same BGP AS Number in two Datacenters

I remember the first time I studied dynamic routing protocols such as EIGRP, OSPF and BGP. I hadn’t studied anything about these protocols at University but I wanted to pass the CCNP certification exam because I wanted to deep down in networking. These protocols are not used in LAN networks, thus, it’s unlikely you have to configure and know about EIGRP, OSPF or BGP. However, I wanted the three kings bring me an AS and I got it. Since then, I have to manage an AS and when I have to modify something, I have to know exactly what I’m doing. No doubts! No errors!

Recently, the WAN network I manage has had an important change. Right now, there are two datacenters in different places, geographically speaking, but both datacenters are in the same Autonomous System (AS). They were working properly. In addition, WAN public IP addresses in one datacenter were different from the IP addresses of the other datacenter. However, there was an issue. An important issue. Datacenter couldn’t connect each other. There wasn’t connectivity between datacenters. This is a protection feature enabled by default in BGP networks to prevent loops.

Network Topology

Surfing on the net, searching about this issue, I realised there were lots of network engineers who came across they couldn’t interconnect datacenters which share the same AS. The solution. Easy. The “allowas-in” function in BGP is able to override the loop prevention mechanism in the router and allow an instance of AS to be in the AS_PATH attribute. Therefore, both routers and both datacenters can share the same AS and they can send and receive traffic each other.

Actually, I had to configure the “allowas-in” function in two routers. The first one was a FortiGate “router” where BGP is configured in one site. It is easy to configure due to the fact that the “allowas-in {integer}” command allows the AS number as many times as we set the integer. On the other hand, I also run the “neighbor {IPv4 address} allowas-in {integer}” command in a Cisco router to finally interconnect both datacenter with the same AS number.

AllowAS-in Configuration

However, there is another interesting feature in the BGP protocol which can also be used to interconnect both sites with the same AS number. The AS-Override feature is similar to the AllowAS-in feature but the AS-Override function has to be run in the Provider Edge (PE) router instead of on the Customer Edge (CE) router. The “neighbor {IPv4 address} as-override” command just strip the AS number from the BGP UPDATE before sending it to the CE routers.

AS-Override Configuration

These are two interesting functions I didn’t know. I think even these functions are not in the CCNP curriculum but in the CCIE curriculum. Once you know these features, you will be able to send and receive traffic between sites easily. It’s up to you which one you want to use. If you only have access to CE routers, you’ll run the AllowAS-in function but if you only have access to PE routers, you’ll run the AS-Override function.

Regards my friends. Drop me a line with the first thing you are thinking!!

F5 BIG-IP APM - SAML

There are lots of companies which use software in the cloud. I mean, there are companies which use Software as a Service (SaaS) in the cloud instead of installing the software on site. This is a great advantage because it is usually cheaper and, what’s more, companies don’t have to be worried about upgrades and maintenance tasks. However, when companies have lots of users which have to access to this software, companies want to manage the user database to allow or deny users to the SaaS application.

OAuth, SAML and OpenID are some standards ready for the decentralized authentication. Therefore, thanks to these standards, companies can use SaaS applications while the user database is on site. For instance, this can be accomplished with SAML or the Security Assertion Markup Language where there are an Identity Provider (IdP) and many Service Providers (SP) as SaaS applications. The IdP could be configured in a pair of F5 BIG-IP APM while the SP would be Google Apps, AWS, Office 365, etc.

Fortinet SAML service

When we use a decentralized authentication as SAML with F5 APM, there are four steps. Firstly, user logs on to the IdP and is directed to a web portal. Secondly, user selects a SaaS application from the web portal. Thirdly, F5 APM may retrieve attributes from the user database to pass on with the SaaS service provider. Finally, APM directs the requests to the SaaS service with the SAML assertion and optional attributes via the user browser. However, there are another similar configuration with five steps, where the user access the the SaaS service in the first place. It’s up to you which one suit with your infrastructure.

Configuration example

 

There are SaaS services which may require attributes such as account ID, Role or whatever and these attributes have to be sent to the application from the IdP through the user web browser. For instance, AWS SAML assertions use two SAML attributes. The first is used to identify the Username that is associate with the session, and the second identifies the AWS Security Role that should be assigned to the session.

AWS SAML Attributes

 

F5 APM can be configured as an IdP as well as SP. Once you know the concepts, the SAML configuration is easy to deploy in F5 APM thanks to iApps and the Visual Policy Editor (VPE) where the IT engineer is going to answer many questions in the wizard and is going to modify the boxes in the VPE to fit the configuration to the infrastructure. The VPE is an useful tool which help us to add and delete boxes such as a webtop with many SaaS applications.

Visual Policy Editor

 

If you would like to test a configured federated domain with your F5 APM against AWS, you can do it with this Assertion Consumer service URL (https://signin.aws.amazon.com/saml). Once you type the Active Directory credentials, the BIG-IP system should issue SAML Assertion to the SaaS application. Nevertheless, if you have any issue, you can use the Firefox SAML Tracer Plugin, HTTP Watch or Fiddler to trace them.

Regards my friends. Keep learning! Keep studying!

National Cybersecurity Strategy of Spain

Six years ago I wondered if Spain were sold because most security appliances installed in the public and private sector were made outside of Spain. Most of these technologies are even made outside of the European Union. Therefore, I thought Spain were sold in the cyber war because firewalls, SIEMs, antivirus, etc were out of control. Consequently, I’ve read many security strategies since then, such as the Security Directives for the European Union, DoD Cyber Strategy of the U.S. of America, the National Cyber Strategy of the U.S. of America or the Revue Stratégique Cyberdéfense de France, because I wanted to know how countries mitigate the risk of working without own IT technology.

This weekend I’ve read the National Cybersecurity Strategy of Spain where there are five goals and seven lines of action. For instance, the first goal is the security and resilience of the information and communications for the public sector and essential services. I think this is a very important goal due to the fact that essential services such as water and energy should be protected against cyber attacks.

The second goal highlights the cybercrime where the government of Spain are going to investigate illicit and malicious acts to encourage citizen trust in the cyberspace. This goal wants we trust in the cyberspace which is shared with malicious people. Therefore, we’ll use this space as long as we trust in the cyberspace. Cooperation, collaboration and participation will help to fight against cybercrime.

The third goal about protecting the business and social ecosystem and citizens is my favourite because it encourages companies to “develop cybersecurity products, services and systems specially those that uphold national interest needs to strengthen digital autonomy”. I really love this sentence because they have realised Spain needs to develop products, services and systems to protect them self.

A better cybersecurity culture and technological skills for people are in the fourth goal. This is also an important goal because people have to know there are risks in the cyberspace. Risks such as blackmail, theft, deception, etc are also in the cyberspace. In addition, this goal takes into account the improvement of technological skills which will also be useful to develop new cybersecurity activities.

The last and fifth goal is about the international cyberspace security where Spain gets collaboration and also shares information about best security practices and cybercrime. We can read in this goal lots of forums where Spain participates such as the Internet Governance Forum (IGF), the Organisation for Security and Cooperation in Europe (OSCE) and many more forums. This is also the goal where we can read the support to the European Union.

Regards my friends, drop me a line with the first thing you are thinking!!!