September 20, 2017, 9:39 pm
![]()
And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the …
Continue reading IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate →
↧
September 27, 2017, 9:02 am
![]()
A few month ago I published many Layer 2/3 challenges on my blog. Beside the happy feedback I got some remarks that the challenges were to easy at all because you only needed the display filter at Wireshark while no deep protocol knowledge. Ok, “challenge excepted” ;) here I have some more protocol related challenges …
Continue reading IKE Challenges →
↧
↧
October 9, 2017, 12:51 am
![]()
It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session initiations with IKEv1 main mode as well as with IKEv2 to see some basic differences. Of …
Continue reading IKEv1 & IKEv2 Capture →
↧
October 25, 2017, 8:39 pm
![]()
Almost 4 weeks ago I published a pcap file with some challenges – this time four falsified configured IPsec VPN connections. If you have not solved it by now you should first download the pcap file and should give it a try. Remember the scenario: You need to prove that the wrong VPN settings are …
Continue reading IKE Solutions →
↧
November 8, 2017, 12:45 pm
![]()
As a network administrator I know that there are SSH fingerprints. And of course I know that I must verify the fingerprints for every new connection. ;) But I did not know that there are so many different kinds of fingerprints such as md5- or sha-hashed, represented in base64 or hex, and of course for …
Continue reading SSH Key Fingerprints →
↧
↧
November 15, 2017, 1:59 am
![]()
I am using Nmap every time I installed a new server/appliance/whatever in order to check some unknown open ports from the outside. In most situations I am only doing a very basic run of Nmap without additional options or NSE scripts. Likewise I am interested in how the Nmap connections appear on the wire. Hence …
Continue reading Nmap Packet Capture →
↧
November 23, 2017, 6:51 am
![]()
I was interested in how Apple AirPlay works in my network. I am using an iPad to stream music to a Yamaha R-N500 network receiver. There is a great Unofficial AirPlay Protocol Specification which already shows many details about the used protocols. But since I am a networking guy I captured the whole process in …
Continue reading Apple AirPlay Capture →
↧
December 5, 2017, 4:35 am
![]()
I really like the kind of security features that are easy to use. The CAA “DNS Certification Authority Authorization” is one of those. As a domain administrator you must only generate the appropriate CAA records and you’re done. (Unlike other security features such as HPKP that requires deep and careful planning or DANE which is …
Continue reading CAA: DNS Certification Authority Authorization →
↧
December 11, 2017, 2:40 am
![]()
What is the biggest problem of PGP? The key distribution. This is well-known and not new at all. What is new is the OPENPGPKEY DNS resource record that delivers PGP public keys for mail addresses. If signed and verified with DNSSEC a mail sender can get the correct public key for his recipient. This solves …
Continue reading PGP Key Distribution via DNSSEC: OPENPGPKEY →
↧
↧
December 18, 2017, 12:51 pm
![]()
I am testing a lot with my own DNS servers as well as with third-party DNS implementations such as DNS proxies on firewalls, DNSSEC validation on resolvers, etc. While there are a number of free DNS online tools around the Internet I was lacking some DNS test names with certain properties or resource records. Hence …
Continue reading DNS Test Names & Resource Records →
↧
December 30, 2017, 3:00 am
![]()
Instrumente sind vorsichtig zu behandeln und keine Bastelobjekte! Vollkommen richtig. So habe ich meine Klampfen und Co. auch stets gut gepflegt und keine Modifikationen daran getätigt. (Eine kleine Ausnahme war die vollkommen laienhafte Reparatur der Brücke meiner 12-saitigen Akustikgitarre welche sonst ein Totalschaden gewesen wäre.) Ein bisschen anders gehandhabt habe ich dies allerdings in den …
Continue reading Instrumentenbasteleien →
↧
January 10, 2018, 2:46 am
![]()
Just a quick glance at the domain_analyzer script from Sebastián García and Verónica Valeros. “Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.” Nice one. If you’re running your own DNS servers you should check e.g. …
Continue reading All-in-One DNS Tool: Domain Analyzer →
↧
January 17, 2018, 12:34 am
![]()
If you’re running your own DNS resolver you’re probably interested in some benchmark tests against it, such as: how fast does my own server (read: Raspberry Pi) answer to common DNS queries compared to 8.8.8.8. In this blogpost I am showing how to use two tools for testing/benchmarking DNS resolvers: namebench & dnseval. I am …
Continue reading Benchmarking DNS: namebench & dnseval →
↧
↧
January 24, 2018, 4:35 am
![]()
I am intensely using the SSH Public Key Fingerprint (SSHFP, RFC 4255) in all of my environments. Since my zones are secured via DNSSEC I got rid of any “authenticity of host ‘xyz’ can’t be established” problems. As long as I am using my central jump host with OpenSSH and the “VerifyHostKeyDNS yes” option I …
Continue reading SSHFP behind CNAME →
↧
February 1, 2018, 1:11 am
![]()
This is actually a bad user experience problem: To generally omit the manual verification of SSH key fingerprints I am using SSHFP. With fully qualified domain names (FQDN) as the hostname for SSH connections such as [crayon-5a73129ea76b9771907647-i/] this works perfectly. However, admins are lazy and only use the hostname without the domain suffix to connect …
Continue reading SSHFP: FQDN vs. Domain Search/DNS-Suffix →
↧
February 8, 2018, 12:41 am
![]()
Until now I generated all SSHFP resource records on the SSH destination server itself via [crayon-5a7c5a470cb82833652099-i/]. This is quite easy when you already have an SSH connection to a standard Linux system. But when connecting to third party products such as routers, firewalls, whatever appliances, you don’t have this option. Hence I searched and found …
Continue reading Generating SSHFP Records Remotely →
↧
February 20, 2018, 1:17 am
![]()
If you are already familiar with DNSSEC this is quite easy: How to sign a delegated subdomain zone. For the sake of completeness I am showing how to generate and use the appropriate DS record in order to preserve the chain of trust for DNSSEC. Scenario You already have a DNSSEC signed zone, in my …
Continue reading Signing a Delegated Subdomain →
↧
↧
February 26, 2018, 5:34 am
![]()
Probably the most crucial part in a DNSSEC environment is the maintenance of the key-signing key, the KSK. You should rollover this key on a regular basis, though not that often as the zone signing keys, the ZSKs. I am doing a KSK rollover every 2 years. In the following I will describe the two …
Continue reading DNSSEC KSK Key Rollover →
↧
![]()
In my last blogpost I showed how to perform a DNSSEC KSK rollover. I did it quite slowly and carefully. This time I am looking into an emergency rollover of the KSK. That is: What to do if your KSK is compromised and you must replace it IMMEDIATELY. I am listing the procedures and commands …
Continue reading DNSSEC KSK Emergency Rollover →
↧
![]()
Implementing DNSSEC for a couple of years now while playing with many different DNS options such as TTL values, I came around an error message from DNSViz pointing to possible problems when the TTL of a signed resource record is longer than the lifetime of the DNSSEC signature itself. Since I was not fully aware …
Continue reading Signed DNS Zone with too long-living TTLs →
↧
And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the … Continue reading IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate
A few month ago I published many Layer 2/3 challenges on my blog. Beside the happy feedback I got some remarks that the challenges were to easy at all because you only needed the display filter at Wireshark while no deep protocol knowledge. Ok, “challenge excepted” ;) here I have some more protocol related challenges … 
It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session initiations with IKEv1 main mode as well as with IKEv2 to see some basic differences. Of … 
Almost 4 weeks ago I published a pcap file with some challenges – this time four falsified configured IPsec VPN connections. If you have not solved it by now you should first download the pcap file and should give it a try. Remember the scenario: You need to prove that the wrong VPN settings are … 
As a network administrator I know that there are SSH fingerprints. And of course I know that I must verify the fingerprints for every new connection. ;) But I did not know that there are so many different kinds of fingerprints such as md5- or sha-hashed, represented in base64 or hex, and of course for … 
I am using Nmap every time I installed a new server/appliance/whatever in order to check some unknown open ports from the outside. In most situations I am only doing a very basic run of Nmap without additional options or NSE scripts. Likewise I am interested in how the Nmap connections appear on the wire. Hence … 
I was interested in how Apple AirPlay works in my network. I am using an iPad to stream music to a Yamaha R-N500 network receiver. There is a great Unofficial AirPlay Protocol Specification which already shows many details about the used protocols. But since I am a networking guy I captured the whole process in … 
I really like the kind of security features that are easy to use. The CAA “DNS Certification Authority Authorization” is one of those. As a domain administrator you must only generate the appropriate CAA records and you’re done. (Unlike other security features such as HPKP that requires deep and careful planning or DANE which is … 
What is the biggest problem of PGP? The key distribution. This is well-known and not new at all. What is new is the OPENPGPKEY DNS resource record that delivers PGP public keys for mail addresses. If signed and verified with DNSSEC a mail sender can get the correct public key for his recipient. This solves … 
I am testing a lot with my own DNS servers as well as with third-party DNS implementations such as DNS proxies on firewalls, DNSSEC validation on resolvers, etc. While there are a number of free DNS online tools around the Internet I was lacking some DNS test names with certain properties or resource records. Hence … 
Instrumente sind vorsichtig zu behandeln und keine Bastelobjekte! Vollkommen richtig. So habe ich meine Klampfen und Co. auch stets gut gepflegt und keine Modifikationen daran getätigt. (Eine kleine Ausnahme war die vollkommen laienhafte Reparatur der Brücke meiner 12-saitigen Akustikgitarre welche sonst ein Totalschaden gewesen wäre.) Ein bisschen anders gehandhabt habe ich dies allerdings in den … 
Just a quick glance at the domain_analyzer script from Sebastián García and Verónica Valeros. “Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.” Nice one. If you’re running your own DNS servers you should check e.g. … 
If you’re running your own DNS resolver you’re probably interested in some benchmark tests against it, such as: how fast does my own server (read: Raspberry Pi) answer to common DNS queries compared to 8.8.8.8. In this blogpost I am showing how to use two tools for testing/benchmarking DNS resolvers: namebench & dnseval. I am … 
I am intensely using the SSH Public Key Fingerprint (SSHFP, RFC 4255) in all of my environments. Since my zones are secured via DNSSEC I got rid of any “authenticity of host ‘xyz’ can’t be established” problems. As long as I am using my central jump host with OpenSSH and the “VerifyHostKeyDNS yes” option I … 
This is actually a bad user experience problem: To generally omit the manual verification of SSH key fingerprints I am using SSHFP. With fully qualified domain names (FQDN) as the hostname for SSH connections such as [crayon-5a73129ea76b9771907647-i/] this works perfectly. However, admins are lazy and only use the hostname without the domain suffix to connect … 
Until now I generated all SSHFP resource records on the SSH destination server itself via [crayon-5a7c5a470cb82833652099-i/]. This is quite easy when you already have an SSH connection to a standard Linux system. But when connecting to third party products such as routers, firewalls, whatever appliances, you don’t have this option. Hence I searched and found … 
If you are already familiar with DNSSEC this is quite easy: How to sign a delegated subdomain zone. For the sake of completeness I am showing how to generate and use the appropriate DS record in order to preserve the chain of trust for DNSSEC. Scenario You already have a DNSSEC signed zone, in my … 
Probably the most crucial part in a DNSSEC environment is the maintenance of the key-signing key, the KSK. You should rollover this key on a regular basis, though not that often as the zone signing keys, the ZSKs. I am doing a KSK rollover every 2 years. In the following I will describe the two … 
In my last blogpost I showed how to perform a DNSSEC KSK rollover. I did it quite slowly and carefully. This time I am looking into an emergency rollover of the KSK. That is: What to do if your KSK is compromised and you must replace it IMMEDIATELY. I am listing the procedures and commands … 
Implementing DNSSEC for a couple of years now while playing with many different DNS options such as TTL values, I came around an error message from DNSViz pointing to possible problems when the TTL of a signed resource record is longer than the lifetime of the DNSSEC signature itself. Since I was not fully aware …