Seven years ago ...

Seven years ago I was in my chair like today I do. Thinking about what I could write in my recently opened blog. I wanted to write something about networking and security but I didn’t know exactly what to write. The goal were writing because I wanted to improve the writing skill which was needed to pass the English exams at Official School of Languages. In the beginning, I wrote in Spanish because writing was a hard-working task for me. However, I ended up writing in English because it’s better for improving the writing skill in English language.

Writing is not the only skill I wanted to improve but also the reading skill to get new vocabulary. Therefore, I try to get time for reading books. For instance, I’ve been reading many books in the last year such as Factfulness, The Art of Intrusion or Inside Soviet Military Intelligence although I’ve also read the Cyber Strategy of the U.S. of America and Aprendiendo de los mejores. Actually, I love reading and I’ve even been reading the Revue Stratégique Cyberdéfense de France.

Writing and reading are important skills to improve languages but speaking is also very important. I don't speak a lot in English language in my job, just from time to time, but I’ve had the lucky to provide Training on Networks, Systems, Hacking and Forensics in the last year where I’ve able to improve the speaking skill in my native language. I think students have learnt many interesting things such as Buffer Overflow Attacks or Fileless malware forensics. In addition, I’ve been in a high school to make an speech Security on the Internet for teenagers.

I think the training courses were interesting because we’ve deployed, installed and configured many tools. For instance, we configured L7 DDoS Mitigation, CSRF Protection, XXE Protection and Bot Protection with F5 BIG-IP ASM. In addition, I’ve tested with SSO Authentication, Portal Access & Webtops, and SSO for Terminal Services with F5 BIG-IP APM. The new version 14.0 in BIG-IP added lots of features and improvements such as the new HTML5 Dashboard or the Threat Campaigns Subscription.

During the last year, the new version 6.2 in FortiOS has also been released. It’s amazing the amount of new security features that have been improved. Security Fabric, SD-WAN, Inspection modes, WIFI6 are only some features improved. In addition, I’ve installed security appliances such as FortiSwitch, FortiSandbox and FortiWeb as well as I’ve configured two FortiGates in a VRRP domain.

This last year has been rewarding because I’ve also been working with networks. I’ve studied about Cisco Nexus such as vPC, FabricPath, Fabric EXtender (FEX), etc. I’ve installed Mellanox switches where I studied about RDMA over Converged Ethernet (RoCE) and Data Center Bridging (DCB). What’s more, I’ve been reading and studying about Outdoor Wireless Link to know the Fresnel zone, channel width, signal-to-noise radio (SNR), EIRP, etc.

Regards my friends. I'm delighted. It's time to rest. It's time for a holiday.

Outdoor Wireless Link

I studied IT engineer in Extremadura where I had to take lots of maths subjects. I also took subjects about application development and operating systems. All of them were interesting. However, today, I’m mainly working with networking and security. I only took one subject about security, it was optional, and I also took two subjects about networking, but I think it’s enough to take the plunge to do networking and security projects because we have to keep studying day in day out. For instance, I didn’t take any subject about Wireless Links but I had to study how they work and how to configure them.

I’ve already had the luck of working on two projects about Wireless Links. One of them was to broadcast free WiFi in a small town and the other one was to connect several buildings in the middle of the countryside. Two interesting projects. These days, I’m working on a new project to connect two buildings because there is no Internet connectivity in one of them. Therefore, I have to plan an Outdoor Wireless Link where I have to take into account the distance between buildings as well as the Line of Sight (LoS), Fresnel zone, fade margin, frequency, channel width, signal-to-noise ratio (SNR), etc.

Outdoor Wireless Link

There are software which are very useful for planning outdoor wireless links such as Radio Mobile and AirLink. These software help us to choose features such as frequency, channel width, etc. For instance, we’ll have to choose a free frequency or a licensed frequency. If we want to use a free frequency in 2,4 GHz or 5 GHz, we’ll have to configure an EIRP accordingly to the country where we are going to install the wireless link. However, if we want to use a licensed frequency, we’ll have to require that license to the government.

AirLink

These software also help us to know if there is Line of Sight (LoS) between sites. This is very important because LoS allow us to know if the wireless link will be successful. However, if there is no LoS, we won’t know the wireless link performance during the planning phase. For instance, if there is a partial obstruction with a mountain, there could be attenuation, reflection or refraction. It’s also important to highlight how low frequencies can propagate to great distances with little attenuation.

Line of Sight - LoS

When we are going to choose an access point to install a wireless link, we also have to take into account what is the network going to be used for because VoIP traffic has not the same network requirements than Data traffic. For instance, VoIP traffic needs 50 PPS while Video streaming traffic needs 1000 PPS.

TCP-IP Packet

To sum up, there are lots of technical features we should know before installing an outdoor wireless link. The Line of Sight, frequencies, channel width, etc should be studied carefully to install a wireless link successfully. Therefore, if we want an efficient and reliable wireless link, we’ll have to study these concepts at University or by ourselves.

Regards my friends. Drop me a line with the first thing you are thinking!

FortiWeb - SQLi Test

I’ve already written a lot about Web Application Firewall (WAF). I think these appliances are useful for securing web applications in layer 7 from sophisticated attacks such as XXE attacks or CSRF attacks. In fact, I’ve already deployed, installed and configured several WAF appliances such as F5 BIG-IP ASM and AWS WAF. However, I had never deployed, installed and configured the Fortinet FortiWeb WAF appliance till last week.

Fortinet FortiWeb is a Web Application Firewall which has many more web security features than Fortinet FortiGate to block Web Application Attacks. For instance, FortiWeb can be configured with Machine Learning to protect web applications from known and unknown exploits. Therefore, FortiWeb defends applications from known vulnerabilities and from zero-day threats. I think, FortiWeb is easy to manage and configure like any other Fortinet family appliance. In addition, Fortinet Security Fabric can also interoperate with FortiWeb.

There are lots of network topologies to deploy a WAF. On the one hand, we should always deploy a WAF after the Network Firewall, so that WAF is between the firewall and web servers. WAF and IPS are not the same. Most network firewall have an IPS which is useful to block layer 3 attacks such as IP Spoofing Attacks or DoS Attacks. However, WAF is useful to block layer 7 attacks. Therefore, we should block layer 3 attacks before layer 7 attacks.

FortiGate + FortiWeb

On the other hand, we should deploy a WAF before the load balancer, so that WAF is between the load balancer and the clients. There are two main reasons for this deployment. Firstly, we don’t have to balance WAF devices thus we’ll balance real servers. Secondly, HTTP requests will correctly appear to originate from the real client’s IP address, not (due to SNAT) your load balancer.

FortiWeb + FortiADC

 

These are two recommendations for planning the network topology. However, we have to take into account another one. We should know the router mode and the one-arm mode. The router mode is the topology where real servers gateway is the WAF, therefore, there is no SNAT but we need a new network to deploy the WAF between real servers and the network firewall. The one-arm mode is easier to deploy because we don’t need a new network but SNAT configuration is required, therefore, the X-Forwarder-For (XFF) header have to be enabled to know the client’s IP addresses.

One-arm mode topology

 

FortiWeb is easy to configure and manage. If we want to configure a basic security policy to defend a web application, we’ll have to configure a server pool, a virtual server and a server policy. Firstly, the server pool is the real servers which are going to be defended. Secondly, the virtual server is the WAF IP address which is going to listen HTTP/S requests. Finally, the server policy is the security configuration to defend the server pool in the virtual server IP address. For instance, we can watch a basic security configuration in the next video to defend a web application from a SQLi attack.

“select * from users where LAST_NAME = ‘” + userName + “’”;

“select * from users where LAST_NAME = ‘Lim’ OR ‘1’=’1’”;

Regards my friends. Have a nice day!

DNS and Web Filtering

Internet works with IP addresses but nobody learn the web server IP address, instead, we learn the domain name. It’s like the telephone number, nobody learn the number, instead, we search into the contacts list. As a result, the DNS service is very important for most companies. Actually, this service has to be always available and the response time has to be quick. In fact, if the root domain servers were shutdown, most people would think there is no Internet.

The DNS service is used by most people as well as by most computers for machine to machine communications. However, it’s also used by most malware which could request domain names similar to the original one or could request domain names totally different and difficult to remember as DGA malware do. For instance, Zeus and Cryptolocker malware use DGA to connect to the C&C server and, thanks to this algorithm, they can bypass security policies such as IP reputation policies.

Malicious Domain Name

There are lots of security websites which helps us to look for domain names to know if a domain name is malicious or it’s a good one. For example, Open Threat Exchange (OTX) is a website where we can search Indicators of Compromise to have a full description of the attack. VirusTotal is well known by most security engineers where is easy to look for URLs or upload files to know if they are suspicious or infected. Another interesting website is FortiGuard where is also easy to look for domain names and IP address. All of these websites are useful for malware forensics.

Open Threat Exchange (OTX)

The security websites are useful for malware forensics. However, if we are surfing these websites, it's probably because the attack or the infection is already done. It's late. Therefore, companies should install security appliances which are able to analyse DNS requests and responses to look for suspicious domain names. For instance, this kind of service can be configured in FortiGate devices where we can block DNS requests and responses by categories such as malicious domains, phishing domains, social networks domains, etc.

DNS Filter

There are also security appliances which are able to analyse HTTP requests and responses to look for suspicious websites. When the computer requests a website, the computer has already requested the domain name for that website. Therefore, it would be better to block the DNS request because it’s done before the HTTP request. However, web filtering services are also useful because we can analyse the content of a website. We can analyse inside the website to look for downloaded malware. In addition, we can even analyse HTTPS traffic where lots of malware is downloaded or C&C communications are done.

Web Filter

DNS filtering and Web filtering are mandatory for most companies where there are users with Internet access. However, there are medium and big companies where is also useful DDI appliances for a better DNS, DHCP and IPAM management. This kind of appliances are also able to analyse DNS requests to look for malicious domain names. In addition, DDI appliances are able to make reports useful to know what endpoints are infected.

DNS-DHCP-IPAM (DDI)

Regards my friends. Keep studying!!!

Inside Soviet Military Intelligence

I’ve finished the French Language course thus I’ve started reading books again. Actually, I’ve been reading Inside Soviet Military Intelligence by Viktor Suvorov these last two weeks because I’ve been less stressed and I’ve had more free time for reading, sports, beers, etc. Therefore, I’ve been reading this interesting book where I’ve learned how the Soviet Intelligence worked, what was the hierarchical organization structure, how they got illegals, etc. I think, this is an interesting book because the Russian Military Intelligence is one of the most powerful intelligence services of the world.

The book was written in 1984 and we can read the history of the KGB and the GRU, agent recruiting, agent communications, tactical reconnaissance, etc, etc. I’ve read about two Russian security agencies which main functions were foreign intelligence and counter-intelligence. This amazing and secret world has many activities which civilian people will never think. For instance, we have known recently Skripal and his daughter were poisoned with Novichok, maybe, by the GRU.

I’m sure there are many illegal activities out there where intelligence services get whatever they want. No matter how they get it or what they have to do. The aim is getting information and achieving the goal successfully. This is an useful book to know another world. I recommend you reading this book if you really love the intelligence services.

Regards my friends. Keep reading!!!