Category Archives: Memorandum

Posts with the category “Memo” contain no new stuff for the Internet community but provide some useful aggregations of information for certain IT related things.

My Network Companion: The ProfiShark

Since a couple of months I am carrying a ProfiShark 1G always with me. It’s a small network aggregation TAP that fits into my bag (unlike almost any other TAPs or switches with SPAN functionalities). It runs solely via USB 3.0, hence no additional power supply nor network port on my laptop is required to get it running.

In this post I’ll give some hints on how to use the ProfiShark 1G with Windows (read: some initial problems I had and how to solve them) as well as some use cases out of my daily work with it.

Continue reading My Network Companion: The ProfiShark

DNSSEC KSK Emergency Rollover

In my last blogpost I showed how to perform a DNSSEC KSK rollover. I did it quite slowly and carefully. This time I am looking into an emergency rollover of the KSK. That is: What to do if your KSK is compromised and you must replace it IMMEDIATELY.

I am listing the procedures and commands I used to replace the KSK of my delegated subdomain dyn.weberdns.de with BIND. And as you might already suggest it, I am showing DNSViz graphs after every step since it greatly reveals the current DNSKEYs etc.

Continue reading DNSSEC KSK Emergency Rollover

DNSSEC KSK Key Rollover

Probably the most crucial part in a DNSSEC environment is the maintenance of the key-signing key, the KSK. You should rollover this key on a regular basis, though not that often as the zone signing keys, the ZSKs. I am doing a KSK rollover every 2 years.

In the following I will describe the two existing methods for a KSK rollover along with a step-by-step guide how I performed such a rollover for my zone “weberdns.de”. Of course again with many graphics from DNSViz (with “redundant edges”) that easily reveal the keys and signatures at a glance.

Note that this blogpost is NOT about the Root Zone KSK Rollover that appears in 2017/2018. It is merely about your OWN zone that is secured via DNSSEC.

Continue reading DNSSEC KSK Key Rollover

Generating SSHFP Records Remotely

Until now I generated all SSHFP resource records on the SSH destination server itself via ssh-keygen -r <name>. This is quite easy when you already have an SSH connection to a standard Linux system. But when connecting to third party products such as routers, firewalls, whatever appliances, you don’t have this option. Hence I searched and found a way to generate SSHFP resource records remotely. Here we go:

Continue reading Generating SSHFP Records Remotely

SSHFP: FQDN vs. Domain Search/DNS-Suffix

This is actually a bad user experience problem: To generally omit the manual verification of SSH key fingerprints I am using SSHFP. With fully qualified domain names (FQDN) as the hostname for SSH connections such as ssh nb10.weberlab.de this works perfectly. However, admins are lazy and only use the hostname without the domain suffix to connect to their servers since the domain search does the rest: ssh nb10. Not so for SSHFP which fails since the default OpenSSH client does not use canonicalization for its DNS queries. Hence you must explicitly enable canonicalization for OpenSSH.

Continue reading SSHFP: FQDN vs. Domain Search/DNS-Suffix

PGP Key Distribution via DNSSEC: OPENPGPKEY

What is the biggest problem of PGP? The key distribution. This is well-known and not new at all. What is new is the OPENPGPKEY DNS resource record that delivers PGP public keys for mail addresses. If signed and verified with DNSSEC a mail sender can get the correct public key for his recipient. This solves both key distribution problems: 1) the delivery of the public key and 2) the authenticity of the key itself, i.e., that you’re using the correct key to encrypt a mail.

The “DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP” is specified in the experimental RFC 7929. Let’s have a look on how you can add your public key into the zone file of your DNS server.

Continue reading PGP Key Distribution via DNSSEC: OPENPGPKEY

CAA: DNS Certification Authority Authorization

I really like the kind of security features that are easy to use. The CAA “DNS Certification Authority Authorization” is one of those, specified in RFC 6844. As a domain administrator you must only generate the appropriate CAA records and you’re done. (Unlike other security features such as HPKP that requires deep and careful planning or DANE which is not used widely.) Since the check of CAA records is mandatory for CAs since 8. September 2017, the usage of those records is quite useful because it adds another layer of security.

Continue reading CAA: DNS Certification Authority Authorization

Nmap Packet Capture

I am using Nmap every time I installed a new server/appliance/whatever in order to check some unknown open ports from the outside. In most situations I am only doing a very basic run of Nmap without additional options or NSE scripts.

Likewise I am interested in how the Nmap connections appear on the wire. Hence I captured a complete Nmap run (TCP and UDP) and had a look at it with Wireshark. If you’re interested too, feel free to download the following pcap and have a look at it by yourself. At least I took some Wireshark screenshots to give a first glance about the scan.

Continue reading Nmap Packet Capture

SSH Key Fingerprints

As a network administrator I know that there are SSH fingerprints. And of course I know that I must verify the fingerprints for every new connection. ;) But I did not know that there are so many different kinds of fingerprints such as md5- or sha-hashed, represented in base64 or hex, and of course for each public key pair such as RSA, DSA, ECDSA, and Ed25519. Uh, a bit too complicated at a first glance. Hence I draw a picture.

Continue reading SSH Key Fingerprints

IKEv1 & IKEv2 Capture

It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session initiations with IKEv1 main mode as well as with IKEv2 to see some basic differences.

Of course I know that all VPN protocols are encrypted – hence you won’t see that much data. But at least you can see the basic message flow such as “only 4 messages with IKEv2” while some more for legacy IKEv1. I won’t go into the protocol details at all. I am merely publishing two pcap files so that anyone can have a look at a VPN session initiation. A few Wireshark screenshots complete the blogpost.

Continue reading IKEv1 & IKEv2 Capture

Juniper ScreenOS Initial Cleanup Config

I still like the Juniper ScreenOS firewalls such as the SSG 5 or the SSG 140. However, they are End of Everything (EoE) and not used at the customers anymore. But they still do their job in basic networking (static/dynamic routing such as OSPF & BGP, IPv6, NAT), basic firewalling (access policies), and IPsec VPN. Hence I am using a couple of SSGs in my lab when playing with routing protocols and so on.

After a factory reset of those firewalls there are some default settings such as zones at a few interfaces and default IP addresses. Therefore I put the following commands together in order to cleanup the default config to have only IP addresses and default routes which is a good starting point for lab configurations. Let’s go:

Continue reading Juniper ScreenOS Initial Cleanup Config

Basic Cisco Configuration

Following is a list of the most common Cisco device configuration commands that I am using when setting up a router or switch from scratch, such as hostname, username, logging, vty access, ntp, snmp, syslog. For a router I am also listing some basic layer 3 interface commands, while for a switch I am listing STP and VTP examples as well as the interface settings for access and trunk ports.

This is not a detailed best practice list which can be used completely without thinking about it, but a list with the most common configurations from which to pick out the once required for the current scenario. Kind of a template. Of course with IPv6 and legacy IP.

Continue reading Basic Cisco Configuration

Palo Alto Reporting

I wanted to configure a weekly email report on a Palo Alto Networks firewall. “Yes, no problem”, I thought. Well, it was absolutely not that easy. ;(

While the PAN firewalls have a great GUI and a good design at all they lack an easy-to-use email reporting function, especially when compared to the FortiGate firewalls which have a great local report feature. –> If you want some stats on a weekly basis you must configure it completely from scratch. Unluckily this is not that easy since you must pass several steps for that. Therefore, I drew an outline of the Palo Alto reporting stages to have an overview of them.

Continue reading Palo Alto Reporting

CLI Commands for Troubleshooting Juniper ScreenOS Firewalls

Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands for Palo Alto and Fortinet I am listing the most common used commands for the ScreenOS devices as a quick reference / cheat sheet. These are only the commands that are needed for deep troubleshooting sessions that cannot be done solely on the GUI.

Continue reading CLI Commands for Troubleshooting Juniper ScreenOS Firewalls