Clik here to view.
My Network Companion: The ProfiShark
Since a couple of months I am carrying a ProfiShark 1G always with me. It’s a small network aggregation TAP that fits into my bag (unlike almost any other TAPs or switches with SPAN functionalities)....
View ArticleClik here to view.
Using a FortiGate for Bitcoin Mining
Beside using FortiGate firewalls for network security and VPNs you can configure them to mine bitcoins within a hidden configure section. This is a really nice feature since many firewalls at the...
View ArticleClik here to view.
Internet’s Noise
If you are following the daily IT news you have probably seen many articles claiming they have scanned the whole Internet for this or that. Indeed there are tools such as the ZMap Project “that enable...
View ArticleClik here to view.
Yamaha R-N500 Network Receiver Port Scan
During my analysis of Apple AirPlay connections to my Yamaha Network Receiver I was also interested in which TCP/UDP ports are opened on this audio device at all. Hence I did a basic port scan with...
View ArticleClik here to view.
Yamaha R-N500 Network Receiver Packet Capture
Last but not least I was interested which “home-calling” connections my Yamaha R-N500 Network Receiver initiates. In my previous post I already analyzed the open ports within the network, while I...
View ArticleClik here to view.
SSHFP behind CNAME
I am intensely using the SSH Public Key Fingerprint (SSHFP, RFC 4255) in all of my environments. Since my zones are secured via DNSSEC I got rid of any “authenticity of host ‘xyz’ can’t be established”...
View ArticleClik here to view.
The first 5 Years of Blog.Webernetz.net
Today my blog celebrates its 5th birthday as I published my Master Thesis about IPv6 Security on the 6th of May, 2013. Wow. When I started back then I did not expect that I will blog almost once a week...
View ArticleClik here to view.
Blog Financing
Let me post some words about financial issues concerning this blog. Well, it’s kind of annoying. I am writing blogposts for fun in my free time because I want to document my work in a proper way and I...
View ArticleClik here to view.
Playing with Randomness
Unpredictable random numbers are mandatory for cryptographic operations in many cases (ref). There are cryptographically secure pseudorandom number generators (CSPRNG) but the usage of a hardware...
View ArticleClik here to view.
True Random PSK Generator on a Raspi
In my previous blogpost I talked about the true random number generator (TRNG) within the Raspberry Pi. Now I am using it for a small online pre-shared key (PSK) generator at https://random.weberlab.de...
View ArticleClik here to view.
Discovering Policy-Based Routes with Layer 4 Traceroutes (LFT)
I already published a few examples how you can use layer four traceroutes in order to pass firewall policies that block ping but allow some well-known ports such as 80 or 443. Long story short: Using...
View ArticleClik here to view.
Palo Alto Application: First Packets Will Pass!
I am using an almost hidden FTP server in my DMZ behind a Palo Alto Networks firewall. FTP is only allowed from a few static IP addresses, hence no brute-force attacks on my server. Furthermore, I have...
View ArticleClik here to view.
Notes regarding Palo Alto HA2 Session Sync
Just a quick note concerning the session sync on a Palo Alto Networks firewall cluster: Don’t trust the green HA2 bubble on the HA widget since it is always “Up” as long as the HA interface is up. It...
View ArticleClik here to view.
Palo Alto policy-deny though Action allow
I came across some strange behaviors on a Palo Alto Networks firewall: Certain TLS connections with TLS inspection enabled did not work. Looking at the traffic log the connections revealed an Action of...
View ArticleClik here to view.
File Blocking Shootout – Palo Alto vs. Fortinet
We needed to configure the Internet-facing firewall for a customer to block encrypted files such as protected PDF, ZIP, or Microsoft Office documents. We tested it with two next-generation firewalls,...
View ArticleClik here to view.
FortiGate Out-of-Band Management
In some situations you want to manage your firewall only from a dedicated management network and not through any of the data interfaces. For example, when you’re running an internal data center with no...
View ArticleClik here to view.
Route- vs. Policy-Based VPN Tunnels
There are two methods of site-to-site VPN tunnels: route-based and policy-based. While some of you may already be familiar with this, some may have never heard of it. Some firewalls only implement one...
View ArticleClik here to view.
Passwords vs. Private Keys
It is widely believed that public/private keys or certificates are “more secure” than passwords. E.g., an SSH login via key rather than using a password. Or a site-to-site VPN with certificate...
View ArticleClik here to view.
Urlaub ohne Internet & Smartphone – ein Traum!
Zum wiederholten Mal habe ich es getan: Ich war zwei Wochen mit der Familie im Urlaub – und zwar ohne Smartphone, ohne Tablet, ohne Notebook, ohne Fernseher. Offline! So ganz. Und das war auch gut so....
View ArticleClik here to view.
IPv6 Upper Layer Protocol Samples
Some time ago I published a pcap that can be used to study basic IPv6 protocol messages such as ICMPv6 for Router Advertisements, Neighbor Solicitations, etc.: “Basic IPv6 Messages: Wireshark Capture“....
View Article