Clik here to view.
Updating NTP Servers
As always when you’re running own services you should update them regularly to have all known bugs fixed and security issues thwarted. Same for NTP servers based on Linux, as in my case running on...
View ArticleClik here to view.
NTP Appliance: Meinberg LANTIME & SyncFire
In case you’re responsible for an enterprise network or data center you should care about NTP. Refer to “Why should I run own NTP Servers?“. As a hobby technician you might first think about Raspberry...
View ArticleClik here to view.
Load Balancing NTP via F5 BIG-IP LTM
As you hopefully already know, you should use at least three different NTP servers to get your time. However, there might be situations in which you can configure only one single NTP server, either via...
View ArticleClik here to view.
Infoblox Failover Debacle (Works as Designed)
What failover times do you expect from a network security device that claims to have high availability? 1 ms? Or at least <1 second? Not so for a fully featured Infoblox HA cluster which takes about...
View ArticleClik here to view.
Using Case Sensitive IPv6 Addressing on a Palo Alto
IPv6 brings us enough addresses until the end of the world. Really? Well… No. There was an interesting talk at RIPE77 called “The Art of Running Out of IPv6 Addresses” by Benedikt Stockebrand that...
View ArticleClik here to view.
CLI Commands for Troubleshooting Infoblox
With Infoblox you’re almost doing everything through the WebUI on the Infoblox Grid Master. At least the daily business such as adding/changing/deleting/moving/whatever DNS, DHCP, and IPAM stuff. Even...
View ArticleClik here to view.
Infoblox Feature Requests
Infoblox offers a nice product which completely serves the DHCP/DNS/IPAM aka DDI area. I really love it. Especially the centralized management aka Grid works quite stable and is easy to use (though the...
View ArticleClik here to view.
NTP Authentication: Server Side
As already pointed out in my NTP intro blogpost Why should I run own NTP Servers? it is crucial to leverage NTP authentication to have the highest trustworthiness of your time distribution all over...
View ArticleClik here to view.
Meinberg LANTIME NTP Authentication
Operating NTP in a secure manner requires the usage of NTP authentication, refer to my Why should I run own NTP Servers? blogpost. Using the Meinberg LANTIME NTP appliance with NTP authentication is...
View ArticleClik here to view.
NTP Authentication: Client Side
Now that we have enabled NTP authentication on our own stratum 1 NTP servers (Linux/Raspbian and Meinberg LANTIME) we need to set up this SHA-1 based authentication on our clients. Here we go for a...
View ArticleClik here to view.
NTP Authentication on Cisco IOS
This is how you can use NTP authentication on Cisco IOS in order to authenticate your external NTP servers respectively their NTP packets. Though it is not able to process SHA-1 but only MD5, you’re...
View ArticleClik here to view.
Palo Alto Networks NGFW using NTP Authentication
Everyone uses NTP, that’s for sure. But are you using it with authentication on your own stratum 1 servers? You should since this is the only way to provide security against spoofed NTP packets, refer...
View ArticleClik here to view.
Fortinet FortiGate (not) using NTP Authentication
A security device such as a firewall should rely on NTP authentication to overcome NTP spoofing attacks. Therefore I am using NTP authentication on the FortiGate as well. As always, this so-called...
View ArticleClik here to view.
Infoblox Grid Manager NTP Authentication
Configuring NTP authentication on the Infoblox Grid Master is quite simple. Everything is packed inside the single “NTP Grid Config” menu. You just have to enter the NTP keys respectively key IDs and...
View ArticleClik here to view.
NTP Authentication on Pulse Connect Secure
I initially wanted to show how to use NTP authentication on a Pulse Connect Secure. Unfortunately, it does not support NTP over IPv6, which is mandatory for my lab. Ok, after I calmed down a bit, a...
View ArticleClik here to view.
NTP Authentication at Juniper ScreenOS
Yes, ScreenOS is end-of-everything (EoE), but for historical reasons I still have some of them in my lab. ;D They simply work, while having lots of features when it comes to IPv6 such as DHCPv6-PD....
View ArticleClik here to view.
My IPv6/Routing/Cisco Lab Rack (2019)
My lab rack of 2019 consists of multiple Cisco routers and switches, as well as Juniper ScreenOS firewalls for routing purposes, a Palo Alto Networks firewall, a Juniper SRX firewall, a server for...
View ArticleClik here to view.
PAN Blocking Details
One of my readers sent me this question: We have an internal discussion about whether it is possible to block the 3 way hanshake TCP but allow the JDBC application protocol. In other words we would...
View ArticleClik here to view.
Using a FortiGate with a 6in4 Tunnel
For some reason, I am currently using a FortiGate on a location that has no native IPv6 support. Uh, I don’t want to talk about that. ;) However, at least the FortiGate firewalls are capable of 6in4...
View ArticleClik here to view.
Workaround for Not Using a Palo Alto with a 6in4 Tunnel
Of course, you should use dual-stack networks for almost everything on the Internet. Or even better: IPv6-only with DNS64/NAT64 and so on. ;) Unfortunately, still not every site has native IPv6...
View Article