Author: admin@labtinker.net

5 March 2023

The Top Right Corner

In football there are free-kicks so superbly taken that commentators will say the goalie had no chance. The ball was so perfectly arced into the top right corner that there was nothing the hapless keeper could have done to stop it. What brings me to this? A trouble-shooting scenario where the issue was so deviously constructed – albeit not on purpose – that it felt […]

Firewalls Networking

30 October 2022

Forti SD-WAN DIA (and GNS3 Cloud types!)

I’ve been looking at SD-WAN recently and labbed up a simple implementation to test this using GNS3. This is the setup: The southern cloud to the left allows management access to the Fortigate and the cloud next to it is a connection to a VMWare Workstation Linux box. The clouds north of the Fortigate are both GNS3 Nat clouds out to the Internet. It occurs […]

Networking

7 August 2022

MPLS and MP-BGP

To me MPLS has always been a cloud on a network diagram that was someone else’s problem. But I decided to lab it up and see how it worked. Happily, I found someone who had described how to set up the lab to do just this: https://packetlife.net/blog/2011/may/16/creating-mpls-vpn/ The rest of the post assumes you have read this link but I will repeat or emphasise relevant […]

Firewalls

2 July 2022

As Easy as Falling of a Log

I encountered one of those smallish problems where I needed to do something slightly out of the ordinary and felt the need to share it here to spare someone a precious few moments re-inventing… not so much the wheel… as the perhaps the furry dice. And so to the problem: I have/had an overly permissive rule on an ASA and after putting more granular rules […]

DNS Firewalls

11 June 2022

Call the DNS Doctor

I never really knew DNS doctoring was much of a thing until I encountered it: essentially getting your firewall to alter or doctor DNS responses. One use case for this might be that you can have your internal hosts receive an internal DNS address whilst keeping them pointing to an external ISP’s DNS. I could go on but somebody already has: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html So I thought […]

Firewalls

30 April 2022

Cisco Firepower and non-std SSH

At my new place of work I have encountered Cisco’s NGFW offering: Firepower. The firewall policies are administered on an FMC (Firewall Management Center) and pushed or deployed to enforcement modules called FTDs (Firepower Threat Defense) . Instead of FTD’s you can do this on ASAs with an SFR module but I digress . Posts passim will testify that I like to test NGFWs by […]

DNS

20 March 2022

CNAME of shame

Before I left work on Friday some of our proxies were showing a DNS error getting to https://app.powerbi.com our MSP was left pursuing this. I decided to do a bit of digging myself. A DNS query can provide an ‘A’ response which tells the querier the ip address associated with the given name, but often a CNAME record can be returned (Canonical Name) which effectively […]

Encryption

16 February 2022

OpenSSL Cheatsheet

Ed Harmoush, whose SSL course I waxed lyrical on in an earlier post, has released a freely shareable OpenSSL cheatsheet to publicise a new course specifically on… OpenSSL. So here it is… I haven’t done the OpenSSL course but intend to and I repeat my recommendation for his SSL course… links to his site are on the cheat sheet…

Firewalls

1 February 2022

Cisco ASA and non-std SSH – the reprise

Any readers of this blog will possibly remember that I compared a few different vendors’ firewalls to see how easy it was to configure them to block ssh access when it was running on the non-standard port of tcp 80 which is typically used by http. (This is a little contrived because anyone trying to get out like this would probably use tcp 443 giving […]

Authentication

20 December 2021

ISE work if you can get it…to work

I’ve decided to have a stab at CCNP Security and to this end thought a lab with an ISE server would be useful. This post is how I set up the lab (nothing on doing anything with it!) as I found fewer resources available than I expected detailing this. There may be better solutions available this is just the one I found. You’ll need a […]