Networking

Detecting threats with inbound SSL (TLS) decryption

Published 23 December, 2019 | By James Preston

Today we have the answer to the question – Without SSL decryption how many threats/attempted vulnerability exploits/other bad stuff will I miss that are coming from the internet at my internally hosted (externally published) web sites and services?
To run some simple tests (which will be detected as malicious attacks) I’m going to be running the Nessus scanner against a website behind a Palo Alto Networks Next Generation Firewall, while we won’t get the same results that might be seen from a ‘determined attacker’ we will get an idea of how things look from the standpoint of a ‘casual attacker’.

In short the answer is you’ll miss a lot – without decryption of traffic coming at your own web servers it’s pretty much impossible to detect attacks (with some minor exceptions) that are hiding inside HTTPS, either way let’s see how it’s done…

Kit list for this testing:

An ‘internal’ web service, in this case the web console for PRTG Network Monitor (running on Windows Server)
A Palo Alto Networks Next Generation Firewall – a PA-850 running PAN-OS 8.1 with a full suite of licences
The Nessus vulnerability scanner

Both the firewall and the web service have been configured to run TLS1.2 with the private key for the certificate on both (which allows the firewall to decrypt the traffic without breaking connections) and the latest firmware/security updates have been applied across the board. Continue reading →

Posted in Servers, Networking | Tagged Inspection, Nessus, SSL, TLS, Palo Alto Networks, PAN, NGFW | 2 Comments

Extracting TRAFFIC, THREAT, CONFIG and SYSTEM syslog from a Palo Alto Networks Next Generation Firewall with Graylog

Published 22 October, 2019 | By James Preston

Graylog is a brilliant (and Open Source) tool to easily capture logs from a variety of systems including good old fashioned syslog.

In the screenshot guide below you will learn how to use a set of extractors I constructed to parse out useful information from PAN NGFW syslog.

The link to the source files mentioned is: https://github.com/jamesfed/PANOSGraylogExtractor

Posted in Software, Hardware, Networking | Leave a comment

CITC 19 The tiny development board for all your IoT needs!

Published 23 March, 2019 | By James Preston

It’s always a pleasure to run a presentation and at this years Oxford and Cambridge Colleges IT Conference has definitely been one of the highlights covering a new hobby – running all kinds of IoT applications on the ESP8266 micro-controller.

Posted in Hardware, The Cloud, Networking | Tagged IoT, ESP8266 | 1 Comment

HPE ProCurve/Aruba turn off — MORE — (aka paging)

Published 8 February, 2019 | By James Preston

When running CLI commands against an HPE Aruba (previously ProCurve) switch that have long outputs you have likely encountered the line below.

— MORE –, next page: Space, next line: Enter, quit: Control-C

Although handy – on occasion you might need to turn this off. To do so simply run the command (no need to be in config mode for this) below.

no page

Note that this will only turn off paging for the current session so if you log out or reboot the switch you’ll need to run the command again. Equally so to turn paging back on simply run the command below.

page

Posted in Networking | Tagged ProCurve, Switch, HPE, Aruba, CLI | 1 Comment