Friday, February 2, 2018

Validate TLS session-ID reuse

With TLS,  we have the ability to  reuse session-ID aka know as ssl-session resumption.

SSL re-usage is either ID or  Ticket base. In this example I will show you have to save  the "Session-ID" and cal it back using openssl and s_client  function.

1st you have to understand the Session-ID is a unique ID & establish by the server and client during  the SSL/TLS hello.

In this example, I'm building a save session-id file for google website by using the sess_out option




In this next example, I'm calling up  a saved Session-ID from  a file for the website  www.wwt.com and running it thru a loop. If the  server honors the  Session-ID it will be used thru-out the TLS setup and will not change.



So in this example the session-ID is  being honored and used during out future sessions.


The save Session-ID file contains data similar to the below



If session reuse was not honored, each newly established session will contain a new-session-ID

You can use the s_time function with   openssl to validate performance.


Notes;

  1. Session reuse  can decrease the  TLS  setup time
  2. allow for more connections in a give period
  3. reduce Server CPU computations by reducing the number of steps in the SSL handshakes
  4. Session reuse  can compromise  forward_secrecy  
  5. With Session-ID this ID is cache at the server
  6. Session-Tickets are stored on the client
  7. In regards to #6, if the session-id are compromised, a attacker can potential hijack a session by knowing  the Session-ID
  8. By doing any of the following 1> reduce the cache size or 2> cache-lifetime, you  can reduce  item#7 from above

review  one of my   previous posting about ssl flooding without actually  touch the application layer

http://socpuppet.blogspot.com/2013/04/ssl-negotiation-flooder-via-curl.html



Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Sunday, January 28, 2018

Fortianalyzer License issues

I worked on moving a previous licensed  Fortinet FAZ-VM and ran into a simple but weird issue.

The license is tied to the device management address. So if you re-address the unit, the license check will fail.



You will not be able to  configured anything if the license is not  valid btw.




So how I got around this, I tried at first to see if I could apply a secondary address by using the old address. This was not possible.

So next , I  attempted to define  a loopback-interface by using the old_address, & again not possible.

So I ended up  reapplying  the old_address on one of the other 3 unused ports. This and reboot, cause a  re-activation of the license and  unit was again operational.



So knowing this, I wonder how strong is  the license enforcement on a FAZ-VM image.




Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Saturday, January 27, 2018

JuniperSRX and IPv6 local-services

The Juniper SRX has been superior  with it's offering for ipv6 in a firewall appliance.

Other firewall  vendors has been lacking in this area , & with functions supporting  syslog , ntp, radius, tacacs, etc  and it's support of IPv6. These local services for the most part has been ignored in regards to IPv6. In this post,  I will demo  most of these services being deployed on a branch model  SRX.


1st here's the JunOS version deployed & used in these examples.




For IPv6 to work,  you need to check and possible enable  ipv6 flow mode & yes a reboot would be required after committing.



NTP configuration and a IPv6 tcpdump for  proof.




SYSLOG and  IPv6  tcpdump capture of our syslog messages.




RADIUS and IPv6

take heed to change the  authentication order  and select radius




Here's the  freeradius  cfg details  for RADIUS  the user is steve and the radius_client  NAS is 2001:DB8:199::1





NOTE ALL RADIUS ACCEPT/REJECT MESSAGES ARE SENT  UNENCRYPTED


( TCPDUMP for  various  radius messages between NAS and RADIUS-Server )





NOTE: Between the NAS client and freeradius , PAP is the default . You can change this behavior within JunOS  radius options and use chap for  more security. Ideally RADIUS+DTLS will encrypt the full transmission which offers greater security.


Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Thursday, January 25, 2018

IKEv1 DHgroup ( aggressive mode )

When deploying IKEv1 for IPSEC, it  crucial  to know the exchange for the   DHgrp needs to be defined across the proposals & the same.

In the 1st initial  contact the  IKEv1 end-point will provide his identity and dh-parameter. So if you have multiple proposals with  different DHgrp values, they will even be NOT be looked at.

IKEv1 main-mode

6  transactions (  DHexch comes at transaction 3+4 )



IKEv1 aggressive-mode

3 transactions ( DHexch happens in the 1st transaction along with the proposal )


Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Wednesday, January 24, 2018

HOWTO test for mobile friendly and load issues

Google has a  mobiletest site that pretty good at identifying pages that load for mobile devices and any errors.

https://search.google.com/test/mobile-friendly

It's simple as,  "  insert the URL and submit "

If the site loads  and it's deem mobile friendly  the output will be present .





But if it fails or has issues you will get a simple results and hints output








Depending on the speed of the website the results should be under 1min.

Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, January 18, 2018

SSL CA chain and proxies

The latest in the security world is "SSL inspection". This is a must if you have data that's encrypted. Doing SSL decryption allows you to inspect data that would  otherwise be not inspect.

Does this makes you  more secured? Is a argument that has PRO/CON that are debatable. One CON, you loose any expectation of  privacy.

So how do you know if a  SSLinspection device in  the path of you and a website?

If you know the true issuer of the  site certificate, you can explore the CA-chain in your browser. Here's google website  in my MSIE browser

The CA chain_path on the  left is  surely  indication of forge CA-PATH  vrs the right-side is the real chain.

This is from a  BlueCoat-Proxy at my day-job btw.


So when in doubt , use  a site like ssllab or similar and compare the browser reported chain to the ssllab discovered chain.









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Friday, December 29, 2017

PCNSE version 8

Since PANOS  7, we are  awaiting for PANOS v8 certification. Nothing so far has came up on the radar from  PaloAlto for  ver8.x

 https://www.paloaltonetworks.com/services/education/pcnse

I would suggest  checking the PANOS 8  new features


https://www.paloaltonetworks.com/services/education/pcnse







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \