Select Page
FortiGate High Availablility

FortiGate High Availablility

I recently gave a presentation on the High Availability (HA) features of FortiGate firewalls.  I created the presentation for my co-workers in anticipation of a large rollout of FortiGate and Juniper gear to a client with twenty remote sites.  The FortiGates were the keystone in the network re-design.

 

This was a relatively short presentation that took about 20 minutes to present, with another 20 minutes of questions and discussion along the way.  I stopped the presentation at the “End”, slide but have 10 more slides that discuss how the Primary firewall is chosen (I simply ran out of presentation time).  Intended audience is system administrators who have to troubleshoot general network problems.  Presentation was created in PowerPoint 2013 and converted to .PDF and is available here.

Cisco Configuration Professional Setup

Cisco Configuration Professional Setup

Overview

Cisco Configuration Professional (CCP) has replaced System Device Manager for most Cisco equipment. It uses Java in Internet Explorer and requires some fiddling to get it working. Following are some notes on what I have found to work in setting up CCP and using it. These notes are as of 30 June 2014.
Java
Install Java 7.60 or higher
Go to Start -> All Programs -> Java -> Configure Java
On the General Tab, look for the ‘Temporary Internet Files’ section and click on the ‘Settings’ button
Uncheck the setting “Keep temporary files on my computer”
On the Security Tab, reduce the Security slider to Medium
Add these sites to the “Exception Site List”
http://127.0.0.1
https://127.0.0.1
On the Advanced Tab, change the “Perform certificate revocation checks on” option to “Do not check (not recommended)”
Cisco Configuration Professional
Download and install Cisco Configuuration Professional v2.8

Go into Control Panel -> Internet Options, Security tab

Click on Trusted Sites, then click on the “Sites” button, then add these sites:
http://127.0.0.1
https://127.0.0.1

Run Cisco Configuuration Professional as Administrator (right click and choose “Run as Administrator”)

 

Password Estimates

Password Estimates

I mentored a kid for his eighth grade mentoring project (most of the schools here in Eugene do this) and we spent six weeks, twice a week, working through some hardware and software projects. He soaked it all up and I had a great time teaching him what I know. I am pretty sure I taught him everything I know, now he can do my job.

He sent me an e-mail a few weeks later and shared what he thought was this great site that he found for making sure your passwords are secure. Below is my calm and measured response to him. What I really wanted to say was how freakin’ shocked I was that this site is making the claims that it does.

This site (http://howsecureismypassword.net) tells you how long it would take to crack a password based on what you type in. It is so wrong, so VERY VERY VERY VERY VERY wrong. A good password cracker library, a free password cracking tool and a nice video card can shorten the time claims on this site considerably.
—————————————————————————————-
My response to my eighth grader.

Nick,
…..
#3: http://howsecureismypassword.net
Thanks for the web site link. This was a fun one to try out, however I would not rest on my laurels just because you ran your password through this site. I would love to believe that a 12 character password would take 4 thousand years to crack, but unfortunately I know that it can take about _a_ (1) _day_ to crack when using a high-end graphics card to do the processing. Although howsecureismypassword.net is useful for informing you about password vulnerability and good password creation techniques, it is very naive in its time estimates.

Most of the work in cracking passwords is in calculating what a word or phrase looks like after it is encrypted. Encryption is a high-tech method of scrambling a password. The encrypted word or phrase is then compared to the encrypted password that you are trying to crack. If the phrase that you just encrypted matches the encrypted password then you have cracked the password (because you already know what word or phrase you fed into the encryption machine). If the encrypted phrase and the encrypted password do not match then the password cracker has to try again; pick a word or phrase, encrypt it, compare it to the encrypted password. The encryption process takes time, the comparison process
takes very little time.

Password crackers save time by pre-encrypting LOTS of words and phrases ahead of time so that the encryption part is already done. The cracker then simply compares the already-encrypted phrases to the encrypted password which takes practically no time at all. Does this one match? No? Compare the next one, and so on. You can save yourself even more time, as a password cracker, by buying a set of pre-encrypted words and phrases from someone else. Cheap sets cost $10-$20, more comprehensive sets cost a few hundred.

Here’s the nugget – Make your password long, at least 16 characters long (I recommend 22 characters). Yes, use a mix of UPPERCASE and lowercase and numbers and punctuation, but the longer the better. Longer passwords take longer to crack (a cracker has to compare more encrypted words and phrases) and if your password is long enough the cracker will hopefully stop and move on to someone else.

I hope this helps and please let me know if you have any questions.

Sincerely,

 

Hal

All your rooms are belong to us

All your rooms are belong to us

 

I know that there are other mobile device "sensory" apps out there such as spiPhone and SoundMiner that make use of your phone microphone to gather info, such as credit card numbers, but this is first that I have seen that would make good use of your camera.
 
PlaceRaider, a proof of concept app developed by the Naval Surface Warfare Center and University of Indiana, takes a stream of images using the camera in your smartphone, then sends the images to a server where they are used to construct a 3D model of your room(s).   The idea is that this app would be surreptitiously loaded onto your smartphone and run in the background, snapping pics or your surroundings. Scary-cool.  From now on I am showering without my phone.
 
You can download the PlaceRaider paper here:  http://arxiv.org/pdf/1209.5982v1
 
Learn more: http://blogs.computerworld.com/malware-and-vulnerabilities/21092/visual-malware-remotely-exploits-android-camera-secretly-snaps-pic-every-2-seconds
Mistakes admitted, security restored, exploiters caught

Mistakes admitted, security restored, exploiters caught

This is a fairly techie tale of a company CEO that was a little sloppy (well, not paranoid enough), a couple of security holes in two different systems and a lot of patient work to take over a website.  In short, a small group of hackers managed to wrest control of the Google Apps account and voicemail box of a hosting company president, then used that information to temporarily take over a group of websites hosted by that company.  The attack was detected and stopped quickly and control was returned to the hosting company, but it took a lot of work and a lot of people to thwart one attack.

A detailed blog post by the CEO of the hosting company, CloudFlare's Matthew Prince, tells the entire story, including mistakes and apologies.  CloudFlare even went so far as to create a nice timeline to illustrate the timing of the hack, the response, and the key details.  Going one step even further, CloudFlare took the opportunity to use this incident as a teachable moment, to inform and advise their clients and the general public in how to protect one's self from the same abusive tactics.  Even though CloudFlare made some mistakes, they more than made up for it in their quick and thorough response and then took it one step farther to help others to prevent the same attack.  This is the kind of excellence in community building and collaboration that warms my heart and confirms my faith in our society and people in general.  Well done.

Google fixed their part of the problem and also admitted the flaw, so they get some credit there.  To end the tale on a happy note, the FBI was able to track down and catch the perpetrators, thus furthering my confidence in the Path of the Good.  For some light bedtime reading, the FBI press release following the arrests of the exploiters can be found here

Since this incident occurred, others have taken place that exploited weaknesses in support and recovery policies at other Biggies Amazon and Apple.  Policies at those companies have been changed to prevent similar attacks again, though the companies seemed more concerned about inconveniencing their customers than security.  While I understand that convenience is a key to keep customers coming back to your site or service, the inconvenience of having my data (or website) taken away is more important to me than the speed with which I use a service.  Others seem to think so too That balance between being convenient and being secure is slowly leaning towards secure.

As a local investment advisor in my town that I like says, "Here's the Nugget":

  • Be paranoid as much as is practically possible without super-pissing other people off.  Inconveniencing them is OK, when done lovingly.
  • Get help from and work with your vendors to help *them* make their systems better for you and others.  We all benefit in the long run.
  • Admit your mistakes, ask forgiveness, show how you have fixed this problem and tell why it will not be a problem again.  This keeps you humble, demonstrates your commitment to your tribe and helps others, who will, in the future, and under the influence of your example, help others in return.

A friend of mine who manages a corporate office says that his users, most of them ladies, respond well to his super-paranoia because it is "sincere" paranoia and they secretly love the attention.  I imagine that the conversations go something like this:

Office Lady: "Do we have to go to all of this trouble just to get our e-mail?"

Paranoid Admin: "Yes, this really is necessary to protect your data."

OL: "It seems a bit extreme."

PA: "I don't want to see you lose valuable time and information. Now hold still for your retina scan."

OL: "I really don't…"

PA: "You have very pretty eyes."

OL: "Oh. *Thank* you. Hold still like this?"