Decrypting TLS Traffic with PolarProxy

Certificate, TLS, , , , , , , ,

This is a guest blog post by Erik Hjelmvik, an expert in network forensics and network security monitoring at NETRESEC.

PolarProxy is a transparent TLS proxy that outputs decrypted TLS traffic as PCAP files. PolarProxy doesn’t interfere with the tunnelled data in any way, it simply takes the incoming TLS stream, decrypts it, re-encrypts it and forwards it to the destination. Because of this PolarProxy can be used as a generic TLS decryption proxy for just about any protocol that uses TLS encryption, including HTTPS, HTTP/2, DoH, DoT, FTPS, SMTPS, IMAPS, POP3S and SIP-TLS.

PolarProxy is primarily designed for inspecting otherwise encrypted traffic from malware, such as botnets that use HTTPS for command-and-control of victim PCs. Other popular use cases for PolarProxy is to inspect encrypted traffic from IoT devices and other embedded products or to analyze otherwise encrypted traffic from mobile phones and tablets. The fact that PolarProxy exports the decrypted traffic in a decrypted format without any TLS headers also enables users to inspect the decrypted traffic with products that don’t support TLS decryption, such as intrusion detection and network forensics products like Suricata, Zeek and NetworkMiner.

Continue reading Decrypting TLS Traffic with PolarProxy

DDIUGv3: Certificate Transparency Disclosure

Certificate, Conference Talks, ,

Quite spontaneous I gave a small talk on the 3rd german DDI (DHCP/DNS/IPAM) user group which took place on June, 17th, 2021. (I was asked to do a talk just two days before the meeting.) It’s based on my blog post about accidental hostname disclosure through the certificate transparency log. To be honest, there’s not much more information in the slides than in my initial blog post. ;D

Continue reading DDIUGv3: Certificate Transparency Disclosure

Firewall Basics: Sent vs. Received Values

Network, , , , ,

I got an interesting question through the comments section on my blog:

What does “Bytes sent/ Bytes received” mean in ACC screen of Palo Alto firewall? I mean, if 500MB of packets are sent from a source device and go through a firewall, get permitted to reach the destination, then the firewall should not see the packets as “sent” or “received”; the firewall just “processes” the packets regardless of the direction, I suppose.

Quite a good questions. Let’s have a look:

Continue reading Firewall Basics: Sent vs. Received Values

Nping aka Layer 4 Ping

Ping/Traceroute, Tutorial/Howto, , , , , ,

I was missing a generic layer 4 ping in my toolbox. Initially searching for a mere TCP ping, I have found Nping which completely satisfies my needs and gives so much more. ;)

What’s a layer 4 ping, and why? –> A normal ping (= ICMP echo-request) reveals whether the destination IP address, that is: the mere server/VM, is up and running. That’s great for a layer 3 networker since routing to and from the destination is already working. However, it does NOT reveal whether or not a service at layer 4 (TCP or UDP) is up and running as well. That’s what a layer 4 ping is about: sending TCP SYNs to the port in question, waiting for a “SYN ACK” (port is listening) or “RST”/no reply (port is not available). Common use cases: Waiting for a service to start again after an upgrade, or waiting for new firewall policies (to allow or deny) a certain port.

Continue reading Nping aka Layer 4 Ping

Capturing – because I can: IS-IS, GLBP, VRRP

Cisco Systems, Internet Access, Network, Routing, , , , , , , , ,

I am constantly trying to add more protocols to the Ultimate PCAP. Hence I used some time in my (old) Cisco lab to configure and capture the following protocols: IS-IS, GLBP, and VRRP. And since Alexis La Goutte sent me some CAPWAP traffic, this protocol is also added. All packets are now found in another update of the Ultimate PCAP. Here are some details:

Continue reading Capturing – because I can: IS-IS, GLBP, VRRP

Zweite Philips Hue Bridge: Was ein Schmodder

Commentary, DIY/Bastelarbeiten, , ,

Seit mehreren Jahren nutze ich Lampen von Philips Hue. Natürlich nicht nur Lampen, sondern auch Relais, Steckdosen, allerlei Schalter, Taster, sowie Hue Labs, Routinen, die Integration mit IFTTT, usw. Entsprechend bin ich leider bereits bei 30 Lampen (von angepriesenen 50) an die 100 % der verbrauchten Regeln gekommen. Ok, das wurde im Hueblog schon vor längerer Zeit beschrieben.

Gut, den Drops muss ich leider lutschen, kaufte mir eine 2. Hue Bridge und gut is. Denkste. Die Integration einer 2. Bridge ist leider alles andere als gut:

Continue reading Zweite Philips Hue Bridge: Was ein Schmodder

Adding some packets: RARP, SNAP, MPLS & More

Network, , , , , , , , , , ,

The other day I was searching for a trace file with a decent protocol mix that could be used to introduce a few colleagues to Wireshark. This brought me to Johannes Weber and his Ultimate PCAP.

To get a first impression of a trace file I used Wireshark’s protocol hierarchy – and boy, that’s a lot of protocols. This was not exactly what I was looking for: This single trace file holds snippets from 2014 to 2020 with a myriad of protocols and IP networks. Unfortunately, it’s nothing like the protocol mix found in a network analysis project.

Nevertheless, the trace file caught my interest as a long time Wireshark user. After nearly 20 years of network analysis, I had my own collection of traces with a few odd frames. To my big surprise, I had recorded a few protocols that are not yet part of the Ultimate PCAP.

So here is my small contribution to this collection:

Continue reading Adding some packets: RARP, SNAP, MPLS & More

Route-Based VPN Tunnel FortiGate <-> Cisco ASA

Cisco ASA, Fortinet, IPsec/VPN, , , , , ,

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a FortiGate firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

Continue reading Route-Based VPN Tunnel FortiGate <-> Cisco ASA

Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

Cisco ASA, IPsec/VPN, Palo Alto Networks, , , , ,

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a Palo Alto Networks firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

Continue reading Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

FortiGate bug: firewalls sending excessive requests to the NTP Pool

Fortinet, NTP, , , , , ,

The NTP Pool is a volunteer organization that provides time synchronization service to hundreds of millions of computers worldwide. A typical client might query a particular NTP Pool server ~10-60 times/hour. Wikipedia lists some abusive clients that far exceeded the normal rate. This wastes NTP server resources, may interfere with other clients, and can trigger DDoS protections. In late 2019, a software update made some FortiGate firewalls very unfriendly to the NTP Pool.

Continue reading FortiGate bug: firewalls sending excessive requests to the NTP Pool

NTS Published as Standard

Authentication, NTP, , , , ,

This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.

The Internet Engineering Task Force (IETF) published the Network Time Security protocol (NTS) as RFC 8915 on October 1, 2020. This new standard offers security mechanisms for the widely used Network Time Protocol v4 (NTPv4), which has been operated mostly unsecured until now. After almost eight years of development, global collaboration, and many interoperability tests of leading NTP software developers, NTS represents a mature security protocol. In this post, I’ll give you a short overview of the development progress of NTS and provide a list of public implementations and NTS secured time servers…

Continue reading NTS Published as Standard

iperf3 on a FortiGate

Bandwidth/Delay, Fortinet, Internet Access, Monitoring, , , ,

This is a really nice feature: you can run iperf3 directly on a FortiGate to speed-test your network connections. It’s basically an iperf3 client. Using some public iperf servers you can test your Internet bandwidth; using some internal servers you can test your own routed/switched networks, VPNs, etc. However, the maximum throughput for the test is CPU dependent. So please be careful when interpreting the results. Here we go:

Continue reading iperf3 on a FortiGate

NTP Filtering (Delay & Blockage) in the Internet

NTP, , , , , , , ,

NTP (Network Time Protocol) messages are sometimes rate-limited or blocked entirely by Internet operators. This little-known “NTP filtering” was put into place several years ago in response to DDoS (Distributed Denial of Service) attacks. NTP filtering may drop NTP messages based on rate or message size. Let’s dig into it: Continue reading NTP Filtering (Delay & Blockage) in the Internet