Jens’ BLOG

If you are using Snort as IDS you might want to take a look at pulledpork for updating an managing rules.

networking, security, tools

There is a survey about nmap.

You can also vote for your favorite security tools and you can even win something.

security, tools

Sometime ago I was asked to investigate why a certain scripr was running so slow. The script used fwm logexport to convert a Checkpoint log file to an ASCII file.

While the script was running, network access to the server was realy slow. Having access to tcpdump or Wireshark would have shown what was happening. Unfortunately Windows doesn’t ship with such essential tools in the default install.

Reading the manual made it possible for an educated guess. There are two parameters -n and -p to disable DNS and Port resolution while converting the logfile. And guess what: Instead of a couple of hours the script only needed some minutes to finish. (The log file was about 2.000.000 lines long.

So here is the syntax used now:


fwm logexport -n -p -n -i %fwdir%\log\input -o output


checkpoint, networking, security

Until May 1st you can participate is a survey on IPv6 support in commercial firewalls from ICANN.

I can’t wait to see the results.

ipv6, networking, security

I made a joke that “cisco” is the default password on most Cisco systems because they use it in theire documentation and training material. A colleague wouldn’t believe me. Than he asked me if I could check something on a customers Cisco router when he gets me a user name and password.

Guess what. cisco worked for login and enable.

For those of you who don’t know Cisco: Normally there is no default password. You can only login remotely when you configure remote access via ssh / telnet and a password. Until then you only have access to a serial console.

Cisco, WTF, networking, security

It’s always a problem to keep all your ACLs in a network coherent. Recently I was made aware of a small tool form google which makes managing ACLs on Cisco, Juniper and Linux much easier to handle.

Take a look at Capirca.

Some features, like IPv6 ACL support for Cisco is still missing, but it looks quite promising.

Cisco, Juniper, linux, networking, security

I recently reviewed a Cisco router configuration. Access via ssh was disabled and only telnet was allowed from some host. Ok, IOS only supports key authentication starting with IOS 15 but I thing that using an encrypted channel to configure and troubleshoot a router is better than clear text. And ssh is available in the standard image for quite some time.

Cisco, networking, security

I’ve given my usual presentation on IPv6 last Saturday @FrOSCon and there was one question nobody asked before:

“When will IPv6 be as secure as IPv4?”

IPv4? Secure? Did anyone bother to read the latest CISCO security advisory’s? From my point of view IPv6 is as secure as IPv4, maybe even more if you keep in mind that all problems with NAT are gone. Sure there will be bugs in the implementation but there are still bugs in some IPv4 implementations. Most of the problems are in applications using upper level protocols, especially HTTP apps written in PHP.

ipv6, networking, security

Every now and than I read that people are still using ethereal. Ethereal is dead for more than 3 years (also the website is still up and running). Wireshark is the successor of Ethereal. I urge everybody to stop using Ethereal and start using Wireshark. Besides many new features there were several serious security bugs. (Okay, there are probably several new security bugs, but they’ll hopefully get fixed upon discovery.

To find out why Ethereal died and Wireshark was created check out the Wireshark FAQ

networking, security, tools

One of the most important tools when working with Chek Point Firewalls is fw monitor.

fw monitor is a packet capturing tool that not only captures packets but also records the way of a packet through a firewall. This way you can see where the packet gets lost or is modified (Some firewalls like to modify TCP sequence numbers on outgoing packets).

The captured data can be saved and analyzed with wireshark. Just enable “Attempt to interpret as Firewall-1 monitor file” under Edit → Preferences → Protocols → Ethernet.

You can find a detailed tutorial here. Just substitute Ethreal with wireshark. Ethereal is dead for three year now.

There is also a wrapper to use tcpdump syntax with fw monitor.

checkpoint, security, tools