Skip to content

New Year present from Checkpoint – R75

New Year present from Checkpoint - R75Well, saying ‘present’ I was a bit sarcastic – just another release in the NGX family – R75 , that is now available for download: R75 release .

So go ahead , install it , use it, enjoy its new features and bugs and report back to the mothership .
Note At the present trial download of R75 is not available but you can download R71.10 that isn’t that different . The usual way to go – Trial software from Checkpoint.

Posted in Checkpoint NG/NGX.

Tagged with .

Leave a comment

By Yuri December 31, 2010

Check Point Certified Master Architect Certification is more accessible than ever

Hello, fellow checkpoint-heads.
I know you have been waiting for this for a long long time, and now it happens – Checkpoint announced that Check Point Certified Master Architect Certification lab can be taken at “convenience of your desktop” – that is Online. You don’t need to ride your horses over the dusty Texas any more, for mere 1500US$ you can take it online and be happy ever after (me thinks you will be happy anyway, cause if you can throw away easily 1500 bucks you are all set already).
In addition their CCSA/CCSE training classes are also available online,details on their website.

Posted in Checkpoint NG/NGX.

Tagged with .

4 comments

By Yuri December 25, 2010

CCIE Security travel diaries are here

Bonjour à tous , as they say in Brussels (sorry – Bruxelles) .

I started a new blog about preparing/thinking/sweating/labbing for/about/for/in Cisco CCIE Security Lab exam. You are welcome to read it here : ccie-security-blog.com. The first post is titled “Tips on how to fail your CCIE Security Lab exam” and summarizes my first attempt I took in November in Brussels.

Also it inevitable means I will post less and less here , about Checkpoint, so bear with me until I attain this coveted badge, CCIE Security Expert.

Cheers,

Happy New Year everyone!

Posted in ASA/PIX Cisco, Cisco, IOS Cisco.

Tagged with .

2 comments

By Yuri December 25, 2010

New spam on the block

May be not new , but new to me – spam mails that instead of direct links to their websites list links cached in google. So , you get in the email not http://degayfisk.com/ but http://google.nr/search?q=cache:c2tHRUQ2mx4J:google.co.nz
It is ,by the way, recognized by eSafe 8.5 as a Clean mail, what a shame.

Posted in Esafe.

Tagged with , .

Leave a comment

By Yuri December 21, 2010

Best open source Netflow/sFlow analyzing software

People ask me frequently what software I would   recommend   for Netflow analysis , especially with security implementations in mind.  I made my choice a long ago and haven’t been complaining so far – Nfsen graphical frontend that has Nfdump as its data processing backend . It provides most flexibility, configurability; its filter syntax is very tcpdump-like; graphic front provides just enough of interactivity; the alerts system is just amazing.Moreover it supports not only Netflow but sFlow as well,so all Fortigate appliances with the last OS can be monitored this way.

Posted in Firewall, Networking.

Tagged with , , .

Leave a comment

By Yuri December 12, 2010

Class A 2.0.0.0 is inaccessible from behind Edge devices bug

There is a not critical but rather annoying bug in the Checkpoint Edge devices firmware 8.1.x preventing any host behind it to reach class A network 2.0.0.0/8 . If you notice this problem then it is most probably because recently the pool 2.16.0.0/13 was assigned to Akamai Technologies . Checkpoint have a bug-fix firmware for that , so open a ticket with them and you will get one.

Posted in Checkpoint NG/NGX.

Tagged with .

1 comment

By Yuri December 4, 2010

IP address pools of Facebook to block, if you need to

Once upon a time I mentioned that blocking Facebook is easy as they have a uniform IP addresses pool . Since then they added more , here is the new and old pools:

NetRange: 69.63.176.0 – 69.63.191.255
CIDR: 69.63.176.0/20
OriginAS: AS32934
NetName: TFBNET2
NetHandle: NET-69-63-176-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Assignment
NameServer: NS5.FACEBOOK.COM
NameServer: NS3.FACEBOOK.COM
NameServer: NS4.FACEBOOK.COM
RegDate: 2007-02-07
Updated: 2010-07-08
NetRange: 66.220.144.0 – 66.220.159.255
CIDR: 66.220.144.0/20
OriginAS: AS32934
NetName: TFBNET3
NetHandle: NET-66-220-144-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: NS5.FACEBOOK.COM
NameServer: NS3.FACEBOOK.COM
NameServer: NS4.FACEBOOK.COM
RegDate: 2009-02-13

Posted in Awk weekly, Scan of the week.

3 comments

By Yuri November 15, 2010

Grab bag of IPF commands for FreeBSD and Solaris 10

Nothing new here , just a round-up of the commands/configs I happen to need from time to time. Google probably has better references for that.I talk about Pf firewall used in FeeeBSD, OpenBSD and Solaris systems.
Enable and disable firewall:

#pfctl –e Enable packet filter real time
#pfctl –ef /etc/pf.conf Enable packet filter and load rules from /etc/pf.conf
#pfctl –d Disable packet filter

Enable/disable permanently to survive reboot
OpenBSD :

/etc/rc.conf.local:
pf=YES
pf_rules=/etc/pf.conf

FreeBSD:

/etc/default/rc.conf:
pf_enable=”YES”

pf_rules=”/etc/pf.conf”
pf_program=”/sbin/pfctl”
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”

Working with rules.

#pfctl –F all Flush (remove) all the active rules from the running packet filter , means PERMIT ANY ANY.
#pfctl –n –f /etc/pf.conf just parse rules from file , not actually loading them, to check syntax
#pfctl -f /etc/pf.conf Load rules from file

Order of rules in the file :
options, normalization, queuing, translation, and filtering rules.
Show commands.

#pfctl –s info Show filter information
#pfctl -s rules Show the currently loaded filter rules
#pfctl -s state Show the contents of the state table.
#pfctl -s all Show all of the above

Simplest set of rules – block all the incoming but ssh, allow all the outgoing from the server.

block in all
pass out all keep state
pass in proto tcp from any to any port 22

It is just a beginning, to be continued later…

Posted in Solaris.

Tagged with , .

Leave a comment

By Yuri November 14, 2010

The D-day for CheckPoint UTM-1 Edge Appliances happened today – reboots are reported all over the world

D-day of Edge UTM Edge devices

Photo courtesy of The Voice of Russia http://english.ruvr.ru/

Today we (ISP) have got reports from the clients that all their UTM Edge devices did a reboot early at night, at about 03:00 AM Israel time 31st of October. While no official press-release has been seen so far from the Checkpoint, looking at cpug.org posts where people from around the globe report the same I can assume with high degree of certainty that indeed it was the case.
While I do hold the opinion that reboot is always good for the Edge, I didn’t think they meant to act upon it .
I can hope the same doesn’t happen one day to the UTM-1 ….

Update 2 Nov Checkpoint released SecureKnowledge (sk56641) note about that where they say yeah it happened, caused by bug, next time it will happen in 13 years from now when no Edge of this series is supposed to be in use .
Checkpoint note. CPUG thread about this

Posted in Checkpoint NG/NGX.

Tagged with .

4 comments

By Yuri October 31, 2010

The easiest way to disclose Cisco routers on the network and how to fix it

Cisco gear has a well-known behaviour pattern that when you telnet to some weird and positively closed port on Cisco you get the uniform response of “Connection refused” . To add more precision it happens when a terminal line management access is enabled on the Cisco but your IP is not in the access-list allowing access to the device. The funny thing about that is that only Cisco seem to do it , and given so, it makes exposing a Cisco device a no-brainer. I tested it on few dozens of Cisco routers (I don’t talk about other equipment from the Golden Gate folks) and it only confirmed this observation. Also I tested telnetting to the other vendors’ equipment and always got back time out. So far I’ve tried Juniper, Brocade, IBM, Huawei. To somehow fix this situation Cisco actually have a feature in their Control Plane Protection toolbox just for that. Below I bring the configuration from IOS router that causes the router to time out connection attempts to the closed ports.

class-map type port-filter match-any CLOSED_PORTS
match closed-ports
policy-map type port-filter FILTER_CLOSED_PORTS
class CLOSED_PORTS
drop
control-plane host
service-policy type port-filter input FILTER_CLOSED_PORTS

Testing.
Before the configuration:

# telnet 19.6.24.51 444
Trying 19.6.24.51…
telnet: connect to address 19.6.24.51: Connection refused

After the configuration:

[root@darkstar ~]# telnet 19.6.24.51 444
Trying 19.6.24.51…
telnet: connect to address 19.6.24.51: Connection timed out
telnet: Unable to connect to remote host: Connection timed out

NB Unfortunately it is a half-solution cause if telnet access is enabled on the Cisco then connection attempts to the port 23 will elicit the same “Connection refused” . To close even this disclosure hole , disable telnet as the management protocol and switch to SSH.
NB2 The good news for the pentesters out there is that rare ISP implement such protections

Posted in Cisco, IOS Cisco, Scan of the week.

Tagged with , .

Leave a comment

By Yuri October 29, 2010