If you’re analyzing PCAP data on a regular basis, you’ve probably worked with some of the following tools:
The key idea of most of these tools is to provide information on various layers of the OSI model to allow the user to gain insight in what’s going on. Network Miner is the exception that is very useful for quickly extracting all files.
These tools are great for troubleshooting or monitoring purposes. However, when you’re dealing with forensics on user sessions and want to see reconstructed data presented as a recorded session, you obviously need something else.
Xplico is designed to facilitate in reconstructing application data from PCAP files and to present it in an accessible way:
“Xplico [was] born expressly with the aim to reconstruct the protocols’s application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI).”
One thing that really appeals to me about Xplico is that the application is well-documented
Yesterday, I was supposed to give a presentation at the Linux/Unix night in Amsterdam. Unfortunately, I was unable to get there due to public transportation problems.
However, I translated the slides in English so If you’d like to see a comparison of two very popular (PEN) Testing Toolkits, have a look. There’s a Dutch version below.
For the Dutch edition, see this presentation
In the slides from a speech from BSDCON called ‘Inspecting Packets with OpenBSD and pf’ I found an interesting slide on PF software being integrated on other operating systems like QNX.
I was a little shocked to read this at first. Cisco uses QNX as the base operating system for Cisco IOS-XR and, believe me, this software is going to be around for a while. Especially due to the microkernel design of QNX I believe this OS can become integrated on a massive scale.
I wanted to see for myself about the firewall of QNX. The name isn’t referred to in the documentation, but for PF users it’s perfectly clear that PF is the ‘IP Filter’ in QNX according to the documentation:
The property that the last matching rule wins isn’t very common in firewall software. Anyway, I love it!
Now the question is whether the functionalities of PF can be found in Cisco IOS-XR. Personally, I don’t think so. The inner workings described in documentation on Virtual Firewall (VFW) software on a multiservice blade makes it look much more like the Firewall Service Module (FWSM) and like PIX OS than like anything BSD-like.
But in general, I like QNX already, and I think it’s smart for Cisco to have it’s functionalities running on top of this BSD-like operating system.
QNX might one day redefine the network operating system landscape.
In case you’re interested in routing technology, there’s a set of books called the ‘Distinguished Engineer Book Set’ published by Wiley. The book on the right called ‘MPLS-Enabled Applications’ is all about the roots of MPLS and current and upcoming traffic engineering features. It is a quick but relatively thorough update on what’s happening.
It’s quite a challenge if you’re not yet familiar with technologies like RSVP and LDP and designs with both involved. However, there’s a shortcut to get up-to-speed with current technology before you move to trends and upcoming technology.
If you haven’t got the books or don’t have the time to finish them, there’s a way to get a summary view on traffic engineering with MPLS as it was in 2000 on Youtube (below). This helps to get up-to-speed with current developments.
If you have 3 hours and want to get an overview on early MPLS and traffic engineering, this video is worth it! I’ve read half of the book that’s marked above and this video made reading the rest of it much easier.
The video contains a long presentation on the various topics on the technologies and implementation, and there’s lots of practical demos to see how it works. The best aspect of it is that Jeff Doyle and other speakers interact with Juniper’s and Cisco’s developers on the various implementations of these technologies.
I’m a big fan of security benchmarks for the configuration of infrastructures. This allows one to use the experience and knowledge of others and to compare one’s software configuration with a well developed benchmark while saving time.
Center for Internet Security
The Center for Internet Security is a wonderful effort that has led to the development of tools, benchmarks and metrics on information security. Things that you can just download and use right away.
Not all benchmarks are up-to-date, and I hope the community will grow bigger and more active to save everybody time and effort on the long run. I will try to give a helping hand related to firewalls and other security appliances during the course of 2014.
In the Database section of the Security Configuration benchmarks on the downloads page you can find benchmarks for the most widely used database engines, including
- IBM DB2
- MSSQL (2008R2)
- MySQL (5.1)
Benchmarks are like a check list of important configuration options with the advised values. It actually looks like a checklist.
You can mark some important metrics, compare the advised values with your own configuration, and discuss improvements with senior engineers or management and go from there.
Today, Fortinet posted an article on the technology and security features of Hyper-V. However, they didn’t mention whether they would support the FortiGate appliance on this hypervisor.
I was wondering whether they would do this, so I Googled it up and came to realise that yesterday, they announced future support for a virtual FortiGate on Hyper-V and KVM.
I’m glad to know that Fortinet will support these platforms in the future and moves forward in the world of virtualized infrastructures.
This is a talk I recently gave on Database Security for DBA’s
Today we will be adding firewall rules to a an OpenBSD system in a way that shows the process and verification steps needed to correctly implement firewall changes and test them before closing the request.
In short, we will check the configuration, add variables, make rules, verify, implement and test them.
Here’s our bridged firewall (no routing, no IP address) that is filtering between a branch office and a corporate network.
This is a short introduction to troubleshooting your wireless network connectivity and capabilities on a Windows machine using the CLI. There isn’t an actual problem we need to solve, we’ll just do some exploration.
We’ll use the Netsh interactive shell that is designed for scripting, just to give you an idea on how useful it can be to use these CLI capabilities on a Microsoft platform.
Exploring useful tools in BackBox Linux 3
In the previous articles, we have setup the requirements for this lab
Now we’re ready to perform the analysis and exploitation.
Here’s an overview of today’s tutorial
- Start Metasploit Framework and connect to your database
- Using nmap and auxiliary modules in msfconsole
- Vulnerability scanning with the OpenVAS Framework
- Learn about and exploit the host with msfconsole
- Explore basic post-exploitation tools