Clik here to view.
Signed DNS Zone with too long-living TTLs
Implementing DNSSEC for a couple of years now while playing with many different DNS options such as TTL values, I came around an error message from DNSViz pointing to possible problems when the TTL of...
View ArticleClik here to view.
Using a FortiGate for Bitcoin Mining
Beside using FortiGate firewalls for network security and VPNs you can configure them to mine bitcoins within a hidden configure section. This is a really nice feature since many firewalls at the...
View ArticleClik here to view.
Idea: SSHFP Validator
The usage of the SSHFP resource record helps admins to authenticate the SSH server before they are exposing their credentials or before a man-in-the-middle attack occurs. This is only one great...
View ArticleClik here to view.
Playing with Randomness
Unpredictable random numbers are mandatory for cryptographic operations in many cases (ref). There are cryptographically secure pseudorandom number generators (CSPRNG) but the usage of a hardware...
View ArticleClik here to view.
True Random PSK Generator on a Raspi
In my previous blogpost I talked about the true random number generator (TRNG) within the Raspberry Pi. Now I am using it for a small online pre-shared key (PSK) generator at https://random.weberlab.de...
View ArticleClik here to view.
Palo Alto policy-deny though Action allow
I came across some strange behaviors on a Palo Alto Networks firewall: Certain TLS connections with TLS inspection enabled did not work. Looking at the traffic log the connections revealed an Action of...
View ArticleClik here to view.
File Blocking Shootout – Palo Alto vs. Fortinet
We needed to configure the Internet-facing firewall for a customer to block encrypted files such as protected PDF, ZIP, or Microsoft Office documents. We tested it with two next-generation firewalls,...
View ArticleClik here to view.
Passwords vs. Private Keys
It is widely believed that public/private keys or certificates are “more secure” than passwords. E.g., an SSH login via key rather than using a password. Or a site-to-site VPN with certificate...
View ArticleClik here to view.
Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet
While playing around in my lab learning BGP I configured iBGP with Multiprotocol Extensions (exchanging routing information for IPv6 and legacy IP) between two Cisco routers, a Palo Alto Networks...
View ArticleClik here to view.
OSPFv2 Capture
I already had an OSPFv2 for IPv4 lab on my blog. However, I missed capturing a pcap file in order to publish it. So, here it is. Feel free to have a look at another small lab with three Cisco routers...
View ArticleClik here to view.
OSPFv3 with IPsec Authentication
Here comes a small lab consisting of three Cisco routers in which I used OSPFv3 for IPv6 with IPsec authentication. I am listing the configuration commands and some show commands. Furthermore, I am...
View ArticleClik here to view.
Dual-Stack EIGRP Lab
Yet another routing protocol I played with in my lab. ;) This time: EIGRP, Enhanced Interior Gateway Routing Protocol, the proprietary distance-vector routing protocol developed by Cisco, which is now...
View ArticleClik here to view.
Why should I run own NTP Servers?
… since we all can use pool.ntp.org ? Easy answer: Many modern (security) techniques rely on accurate time. Certificate validation, two-factor authentication, backup auto-deletion, logs generation, and...
View ArticleClik here to view.
NTP Authentication: Server Side
As already pointed out in my NTP intro blogpost Why should I run own NTP Servers? it is crucial to leverage NTP authentication to have the highest trustworthiness of your time distribution all over...
View ArticleClik here to view.
Meinberg LANTIME NTP Authentication
Operating NTP in a secure manner requires the usage of NTP authentication, refer to my Why should I run own NTP Servers? blogpost. Using the Meinberg LANTIME NTP appliance with NTP authentication is...
View ArticleClik here to view.
NTP Authentication: Client Side
Now that we have enabled NTP authentication on our own stratum 1 NTP servers (Linux/Raspbian and Meinberg LANTIME) we need to set up this SHA-1 based authentication on our clients. Here we go for a...
View ArticleClik here to view.
NTP Authentication on Cisco IOS
This is how you can use NTP authentication on Cisco IOS in order to authenticate your external NTP servers respectively their NTP packets. Though it is not able to process SHA-1 but only MD5, you’re...
View ArticleClik here to view.
Palo Alto Networks NGFW using NTP Authentication
Everyone uses NTP, that’s for sure. But are you using it with authentication on your own stratum 1 servers? You should since this is the only way to provide security against spoofed NTP packets, refer...
View ArticleClik here to view.
Fortinet FortiGate (not) using NTP Authentication
A security device such as a firewall should rely on NTP authentication to overcome NTP spoofing attacks. Therefore I am using NTP authentication on the FortiGate as well. As always, this so-called...
View ArticleClik here to view.
Infoblox Grid Manager NTP Authentication
Configuring NTP authentication on the Infoblox Grid Master is quite simple. Everything is packed inside the single “NTP Grid Config” menu. You just have to enter the NTP keys respectively key IDs and...
View Article