Here’s how to create an isolated lab for replaying malicious PCAP through an IPS or inline device. In this use case, I have a Palo Alto VM 300 trial in EC2. Host A is on the trusted zone interface. Host B is on the untrusted zone interface. Host 172.16.10.66 is Read more…
Only IKEv2Unified configScalableServer/ClientCA Server recommended Prereq 1 – CA Server/Client: Server: ip domain-name cisco.com crypto key generate rsa modulus 1024 ip http server crypto pki server CA crypto pki trustpoint CA issuer-name O=CISCO L=SanJose C=US grant auto sh crypto pki certificates Client: ip domain-name cisco.com crypto key generate rsa modulus Read more…
Does not support IKEv2. Only IKE v1. Does not have an overlay routing protocol or tunnel. Encrypts data in the underlay itself. Since there’s no overlay tunnel you don’t need additional subnets created. Centralized policy management. Policies in one place and pushed to all clients. The Keyserver. Components:-GM (Group Member)-KS Read more…
Google doesn’t allow you to bridge their network box so you would have to double NAT and double port forward. Maybe some people are fine with that, but I hate it. Luckily, it’s really easy to bypass. Default: fiber_line –> fiber_to_ethernet_jack –> Google_Network_Box The Google Fiber network box powers the Read more…
Threw together a pres on the easiest way to learn IPv6 I could come up with. IPv6_Pres Enjoy, if you’re into this type of stuff.
There are a number of things needed to stop ARP poisoning properly in a Cisco environment. DHCP snooping Trusted ports Dynamic ARP inspection A filter for static IPs DHCP snooping prevents rogue DHCP servers and is the groundwork for all this. It builds a database of bindings and specifies where Read more…
I’ve been comparing SSL decryption services and devices, and Zscaler is much more than that. It’s an all-in-one Content Filtering, SSL decrypting, DLP, Bandwidth controlling(quota), IPS, Malware preventing(including sandbox) awesome cloud based solution. AND, It works with mobile devices even if they’re roaming! The solution consists of GRE tunnels out Read more…
Here’s a pfSense setup with a HE tunnel, routed /64 on the inside, and a subnetted out /112 for the VPN. Inside users have dual stack and can surf v4 or v6. Outside users VPN in, and receive an IPv4 and v6 virtual IP. Once in they can route out Read more…
Here’s how to onfigure a pfSense firewall to be a VPN client so IPv4 traffic always traverses the VPN. Build a VM at a cloud provider and configure it as an OpenVPN server. Using a self signed CA, cert, and TLS auth. edit – /etc/openvpn/server.conf add: push “redirect-gateway def1” edit Read more…
The pfSense page here does a good job of explaining what router advertisements are and some of the settings, but I had to play around to make it work. If you have a flat uncomplicated network at home, the defaults will probably work fine. Clients would pull IPv6 + the default Read more…