Archive of posts with category 'Security'

Security - Just Another Risk

I made a conscious decision to move away from full-time information security work. I retain an interest, and try to keep up with developments, but I don’t want to be...

IPv6-test.com and SRX firewall policies

ipv6-test.com is a useful site for testing IPv4 & IPv6 connectivity. It checks that v4 & v6 are working as expected, and reports your browser v4/v6 preferences. It does have one...

Using Check Point Identity Awareness with NAT

Check Point Identity Awareness is problematic in environments that have multiple customers, overlapping private address space, and NAT. It can be done, if you understand the traffic flows, the connections needed,...

F5 APM, SRX and DTLS NAT Timeout

I have been having issues using the F5 APM client behind a Juniper SRX-110 using hide NAT. I believe I’ve tracked it down to the default timeout settings used for...

Check Point SmartLog - Recommended

Trigger warning for Check Point haters: I’m about to say nice things about Check Point.

Check Point - Don't Use the 'Install On' Column

I got caught out by Check Point’s “Install On” column recently. Most people don’t need this setting any more, but it’s still there for legacy reasons. Time to re-evaluate.

Check Point - Upgrade Without Dropping Connections

Check Point firewall upgrades have always been painful. The loss of connection state is a big part of this. Existing connections stop working, and many applications need restart. It looks like...

DNSSEC - Moving the Needle

The New Zealand ISP market is dominated by Spark, Vodafone & CallPus/Orcon. A side effect of this is that if one player does the Right Thing™, it really moves the...

War Stories: Unix Security

This article is Part 8 in a 12-Part Series. Part 1 - War Stories: Loops that Permanently Broke the Network Part 2 - War Stories: Switches Lying about Duplex Mismatches...

Juniper SRX-110H EoL

Somehow I missed this when it was announced, but the Juniper SRX-110H-VA is End of Life, and is no longer supported for new software releases.

Complexity vs Security

Many of the ‘security’ measures in our networks add complexity. That may be an acceptable tradeoff, if we make a meaningful difference to security. But often it feels like we...

Andrisoft Wanguard: Cost-Effective Network Visibility

Andrisoft Wansight and Wanguard are tools for network traffic monitoring, visibility, anomaly detection and response. I’ve used them, and think that they do a good job, for a reasonable price....

Using Firewalls for Policy Has Been a Disaster

Almost every SDN vendor today talks about policy, how they make it easy to express and enforce network policies. Cisco ACI, VMware NSX, Nuage Networks, OpenStack Congress, etc. This sounds...

Shellshock: One Month On

Shellshock was released a little over a month ago, to wide predictions of doom & gloom. But somehow the Internet survived, and we lurch on towards the next crisis. I...

Disappointed With Check Point

I have recently started working with Check Point products again, after a 5-year break. This has given me a different perspective on how they are progressing. It has been disappointing to...

CloudFlare: That Was Easy

I switched this blog over to using CloudFlare a few days ago. It’s all been pretty painless, and I highly recommend it to others.

War Stories: Dual-Vendor Firewall Strategy

This article is Part 4 in a 12-Part Series. Part 1 - War Stories: Loops that Permanently Broke the Network Part 2 - War Stories: Switches Lying about Duplex Mismatches...

War Stories: Check Point Meltdown

This article is Part 3 in a 12-Part Series. Part 1 - War Stories: Loops that Permanently Broke the Network Part 2 - War Stories: Switches Lying about Duplex Mismatches...

Kiwicon 7

Kiwicon 7 has just wrapped up in Wellington, New Zealand. Kiwicon is “New Zealand’s own Hacker Conference.” It’s a top-notch event that’s been running for 7 years now, and highly recommended...

'Black Tuesday' - Isn't it Just Business as Usual?

Microsoft patches are released on a (mostly) monthly cycle, and other vendors have started following suit. When this first happened, people treated it like a major event. But I think...

Squid with Dynamic SSL Cert and Kerberos Authentication

If you implement a proxy server for security reasons, you must implement SSL Intercept, or anyone can waltz on past your anti-virus, filtering, and content restrictions. For a previous employer,...