This is a guest blogpost by Erik Hjelmvik, an expert in network forensics and network security monitoring at NETRESEC.
Wireshark is the default goto tool for analyzing captured network traffic for most network engineers. But there are a few other free and open source alternatives that are sometimes overlooked, one of which is NetworkMiner (disclaimer: I’m the creator of NetworkMiner).
Continue reading Intro to NetworkMiner →
While playing around in my lab learning BGP I configured iBGP with Multiprotocol Extensions (exchanging routing information for IPv6 and legacy IP) between two Cisco routers, a Palo Alto Networks firewall, and a Fortinet FortiGate firewall. Following are all configuration steps from their GUI (Palo) as well as their CLIs (Cisco, Fortinet). It’s just a “basic” lab because I did not configure any possible parameter such as local preference or MED but left almost all to its defaults, except neighboring from loopbacks, password authentication and next-hop-self.
Continue reading Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet →
It is widely believed that public/private keys or certificates are “more secure” than passwords. E.g., an SSH login via key rather than using a password. Or a site-to-site VPN with certificate authentication rather than a pre-shared key (PSK). However, even certificates and private keys are not unlimited secure. They can be compromised, too, since the public-key cryptography only implies that private keys won’t be exposed if a brute-force attack is nearly impossible.
So, what’s the real security level of passwords compared to public keys/certificates?
Continue reading Passwords vs. Private Keys →
We needed to configure the Internet-facing firewall for a customer to block encrypted files such as protected PDF, ZIP, or Microsoft Office documents. We tested it with two next-generation firewalls, namely Fortinet FortiGate and Palo Alto Networks. The experiences were quite different…
TL;DR: While Fortinet is able to block encrypted files, Palo Alto fails since it does not identify encrypted office documents! [UPDATE: Palo Alto has fixed the main problem, see notes below.]
Continue reading File Blocking Shootout – Palo Alto vs. Fortinet →
While testing with the new release of Hydra against my own FTP server from FileZilla, I recognized that the autoban feature from FileZilla does not work for IPv6 connections. If there are multiple failed login attempts from an IPv4 address, FileZilla Server correctly blocks that IP. That is: Hydra stops testing passwords since it is not able to connect to the server anymore. However, when using IPv6, the FileZilla server generates the same error message (“421 Temporarily banned for too many failed login attempts”), but new connections from the same IPv6 address are still possible.
Here are my test results:
Continue reading FileZilla Server Bug: Autoban does not work with IPv6 →
How are passwords stolen? What are common password flaws? What are the security techniques to enhance the security of passwords respectively the security of the login-services? What authentication methods provide long-term security? How often should a password be changed? Which methods achieve good security while not being too complicated to be used by end-users?
This blog post discusses several methods of how passwords are stolen and provides approaches of how login-services can be secured.
Continue reading Password Policies – Appropriate Security Techniques →
This is a mathematical post which is related to the xkcd 936 comic about password strength. The central question is: What is better for passwords? A password containing a few random characters or a passphrase containing a (less) few random words? Here comes a mathematical discussion.
Continue reading Password Strength/Entropy: Characters vs. Words →
This is a short post in which I show the options I am using when generating random passwords with the Password Generator that ships with the password safe KeePass. The character set should be as big as possible while not containing letters that could confuse the end-user. Of course, all upper- & lower-case alphabetic characters as well as the digits are included. For all other symbols, I chose those which are inside the ASCII table as well as writeable with the keyboard layouts for US and German keyboards.
Continue reading Password Generator Options for KeePass →
Mit der häufigste Tipp, den ich meinen Freunden und Bekannten gebe, ist: Benutzt sichere Passwörter! Am besten noch verschiedene für alle Services, also Dienste/Homepages/E-Mail/etc. im Internet und Co. Und uns ist allen klar: Das macht keiner… ;) Außer man hat einen vernünftigen Passwortspeicher den man auch flexibel und von verschiedenen Orten aus benutzen kann. In einem solchen Programm kann man alle verschiedenen Passwörter eingeben und verschlüsselt in einer Datei speichern. Das heißt, man braucht zwar ein sehr gutes (= langes & komplexes) Passwort um den Passwortspeicher zu öffnen, erspart sich aber das Merken von allen anderen Passwörtern. Sprich: Man muss sich fortan nur noch ein Passwort merken und hat dann einen sicheren Zugriff auf alle möglichen anderen Passwörter. Ich empfehle den KeePass Password Safe und möchte hier eine komplette Einführung für ihn geben:
Continue reading KeePass Passwort-Speicher Einführung →