How many teams there are in your company?

There are companies which has already realised they need security engineers to protect services and the information. These companies have at least one or two people who are in charge of the information security. There are also companies which have employees who work with security standards such as PCI-DSS, ISO 27001 or regulations such as GDPR. These people work with lots of paperwork and they have to check procedures, policies, strategies, etc. What’s more, there are also companies which hire a hacking team to know about bugs, misconfigurations and weaknesses that these companies have in their services. However, there are increasingly more people working in the information security. Today, I’m going to write about three new teams: Red Team, Blue Team and Purple Team.

Penetration Testing and Ethical Hacking are well known by most companies which want to identify vulnerabilities and risks on systems and they also want to know if systems can be compromised easily by an attacker. However, Red Team is a group of people who work as adversaries and they are going to test many environments instead of one or two like a pentester does. In addition, it is usually a multidisciplinary team because members come from IT administration, network engineers, Windows and Unix administrations or even developers.

There are many tools which are really useful for the Red Team. For instance, I wrote about RedHunt last month, which is an adversary and intelligence emulator. RedHunt includes security tools such as Caldera, Atomic Red Team, DumpsterFire or Metta. However, there are many other interesting tools for the Red Team. For example, FlightSIM is a utility used to generate malicious traffic such as DGA traffic, requests to known active C2 destinations, etc. Blue Team Training Toolkit (BT3) is another interesting utility that creates realistic computer attack scenarios. Therefore, there are many tools ready for the Red Team.

On the other hand, the Blue Team is a group of people who work to detect attacks and prevent security incidents. They have to identify attacks and intrusions on systems. They have to be alert for reactive or preventive actions as well as they have to block attacks before they succeed. Therefore, they are going to work along with the Red Team. While the Red Team attacks the company, the Blue Team defends the company.

There are lots of well known tools ready for the Blue Team. Antimalware software is a must for endpoints and servers. Network firewalls are installed in most companies. Web Application Firewalls (WAF) are also installed in many companies. SIEM appliances are increasingly installed in companies which want to get logs for analysis and visibility. The Blue Team is more common in most companies than the Red Team.

I think the Red Team and Blue Team tasks are already well understood. However, there are another team, the Purple Team, which is between the Red and Blue teams. The Purple Team is going to use the defensive tactics and controls from the Blue Team and the threats and vulnerabilities found by the Red Team with the aim of maximizes the knowledge of both teams.

Regards my friends. How many teams there are in your company?

Same BGP AS Number in two Datacenters

I remember the first time I studied dynamic routing protocols such as EIGRP, OSPF and BGP. I hadn’t studied anything about these protocols at University but I wanted to pass the CCNP certification exam because I wanted to deep down in networking. These protocols are not used in LAN networks, thus, it’s unlikely you have to configure and know about EIGRP, OSPF or BGP. However, I wanted the three kings bring me an AS and I got it. Since then, I have to manage an AS and when I have to modify something, I have to know exactly what I’m doing. No doubts! No errors!

Recently, the WAN network I manage has had an important change. Right now, there are two datacenters in different places, geographically speaking, but both datacenters are in the same Autonomous System (AS). They were working properly. In addition, WAN public IP addresses in one datacenter were different from the IP addresses of the other datacenter. However, there was an issue. An important issue. Datacenter couldn’t connect each other. There wasn’t connectivity between datacenters. This is a protection feature enabled by default in BGP networks to prevent loops.

Network Topology

Surfing on the net, searching about this issue, I realised there were lots of network engineers who came across they couldn’t interconnect datacenters which share the same AS. The solution. Easy. The “allowas-in” function in BGP is able to override the loop prevention mechanism in the router and allow an instance of AS to be in the AS_PATH attribute. Therefore, both routers and both datacenters can share the same AS and they can send and receive traffic each other.

Actually, I had to configure the “allowas-in” function in two routers. The first one was a FortiGate “router” where BGP is configured in one site. It is easy to configure due to the fact that the “allowas-in {integer}” command allows the AS number as many times as we set the integer. On the other hand, I also run the “neighbor {IPv4 address} allowas-in {integer}” command in a Cisco router to finally interconnect both datacenter with the same AS number.

AllowAS-in Configuration

However, there is another interesting feature in the BGP protocol which can also be used to interconnect both sites with the same AS number. The AS-Override feature is similar to the AllowAS-in feature but the AS-Override function has to be run in the Provider Edge (PE) router instead of on the Customer Edge (CE) router. The “neighbor {IPv4 address} as-override” command just strip the AS number from the BGP UPDATE before sending it to the CE routers.

AS-Override Configuration

These are two interesting functions I didn’t know. I think even these functions are not in the CCNP curriculum but in the CCIE curriculum. Once you know these features, you will be able to send and receive traffic between sites easily. It’s up to you which one you want to use. If you only have access to CE routers, you’ll run the AllowAS-in function but if you only have access to PE routers, you’ll run the AS-Override function.

Regards my friends. Drop me a line with the first thing you are thinking!!

F5 BIG-IP APM - SAML

There are lots of companies which use software in the cloud. I mean, there are companies which use Software as a Service (SaaS) in the cloud instead of installing the software on site. This is a great advantage because it is usually cheaper and, what’s more, companies don’t have to be worried about upgrades and maintenance tasks. However, when companies have lots of users which have to access to this software, companies want to manage the user database to allow or deny users to the SaaS application.

OAuth, SAML and OpenID are some standards ready for the decentralized authentication. Therefore, thanks to these standards, companies can use SaaS applications while the user database is on site. For instance, this can be accomplished with SAML or the Security Assertion Markup Language where there are an Identity Provider (IdP) and many Service Providers (SP) as SaaS applications. The IdP could be configured in a pair of F5 BIG-IP APM while the SP would be Google Apps, AWS, Office 365, etc.

Fortinet SAML service

When we use a decentralized authentication as SAML with F5 APM, there are four steps. Firstly, user logs on to the IdP and is directed to a web portal. Secondly, user selects a SaaS application from the web portal. Thirdly, F5 APM may retrieve attributes from the user database to pass on with the SaaS service provider. Finally, APM directs the requests to the SaaS service with the SAML assertion and optional attributes via the user browser. However, there are another similar configuration with five steps, where the user access the the SaaS service in the first place. It’s up to you which one suit with your infrastructure.

Configuration example

 

There are SaaS services which may require attributes such as account ID, Role or whatever and these attributes have to be sent to the application from the IdP through the user web browser. For instance, AWS SAML assertions use two SAML attributes. The first is used to identify the Username that is associate with the session, and the second identifies the AWS Security Role that should be assigned to the session.

AWS SAML Attributes

 

F5 APM can be configured as an IdP as well as SP. Once you know the concepts, the SAML configuration is easy to deploy in F5 APM thanks to iApps and the Visual Policy Editor (VPE) where the IT engineer is going to answer many questions in the wizard and is going to modify the boxes in the VPE to fit the configuration to the infrastructure. The VPE is an useful tool which help us to add and delete boxes such as a webtop with many SaaS applications.

Visual Policy Editor

 

If you would like to test a configured federated domain with your F5 APM against AWS, you can do it with this Assertion Consumer service URL (https://signin.aws.amazon.com/saml). Once you type the Active Directory credentials, the BIG-IP system should issue SAML Assertion to the SaaS application. Nevertheless, if you have any issue, you can use the Firefox SAML Tracer Plugin, HTTP Watch or Fiddler to trace them.

Regards my friends. Keep learning! Keep studying!

National Cybersecurity Strategy of Spain

Six years ago I wondered if Spain were sold because most security appliances installed in the public and private sector were made outside of Spain. Most of these technologies are even made outside of the European Union. Therefore, I thought Spain were sold in the cyber war because firewalls, SIEMs, antivirus, etc were out of control. Consequently, I’ve read many security strategies since then, such as the Security Directives for the European Union, DoD Cyber Strategy of the U.S. of America, the National Cyber Strategy of the U.S. of America or the Revue Stratégique Cyberdéfense de France, because I wanted to know how countries mitigate the risk of working without own IT technology.

This weekend I’ve read the National Cybersecurity Strategy of Spain where there are five goals and seven lines of action. For instance, the first goal is the security and resilience of the information and communications for the public sector and essential services. I think this is a very important goal due to the fact that essential services such as water and energy should be protected against cyber attacks.

The second goal highlights the cybercrime where the government of Spain are going to investigate illicit and malicious acts to encourage citizen trust in the cyberspace. This goal wants we trust in the cyberspace which is shared with malicious people. Therefore, we’ll use this space as long as we trust in the cyberspace. Cooperation, collaboration and participation will help to fight against cybercrime.

The third goal about protecting the business and social ecosystem and citizens is my favourite because it encourages companies to “develop cybersecurity products, services and systems specially those that uphold national interest needs to strengthen digital autonomy”. I really love this sentence because they have realised Spain needs to develop products, services and systems to protect them self.

A better cybersecurity culture and technological skills for people are in the fourth goal. This is also an important goal because people have to know there are risks in the cyberspace. Risks such as blackmail, theft, deception, etc are also in the cyberspace. In addition, this goal takes into account the improvement of technological skills which will also be useful to develop new cybersecurity activities.

The last and fifth goal is about the international cyberspace security where Spain gets collaboration and also shares information about best security practices and cybercrime. We can read in this goal lots of forums where Spain participates such as the Internet Governance Forum (IGF), the Organisation for Security and Cooperation in Europe (OSCE) and many more forums. This is also the goal where we can read the support to the European Union.

Regards my friends, drop me a line with the first thing you are thinking!!!