Posts

Showing posts from September, 2017

VRRP or ClusterXL in GAIA?

VRRP or ClusterXL in GAIA? VRRP:

Pros:
1. Single virtual MAC floats between cluster members, depending on which is Master; By Default.
2. Doesn't care about CoreXL or other physical differences between cluster members. But why would you have differently sized cluster members you cheap bast**d? :)


Cons:
1. Decision is per interface.. Am I master or backup, one interface at a time; potential for split brain.
2. No Health checking of the cluster peer(s).
3. If same VRRP ID is used on all interfaces, potential to confuse switch when multiple firewall interfaces connected to same switch; multiple VLANs using same VRRP MAC.
4. Default VRRP MAC is still effected by IGMP, same as ClusterXL CCP multicast mode. VRRP hello packets are transmited using the VRRP MAC as the destination.
5. Only the Master node transmits Hello packets. No status of backup cluster member, VRRP interfaces must be monitored individually to discern if layer 2 connectivity problem exists on one or more interfaces.


ClusterXL:

Captive Portal Fails to Load Properly or Returns 404

Captive Portal Fails to Load Properly or Returns 404 This article describes how to fix the issue whereby captive portal fails to load, is returned only partially without the user/pass fields or returns a 404 error. This also mitigates issues with: slow access to a Mobile Access gateway on wireless or lossy networks. The mechanism responsible for the problems is “SACK” – an acronym for Selective acknowledgment. The “SACK-permitted” option and “SACK” option alter the acknowledgment behavior of TCP: SACK-permitted The SACK-permitted option is offered to the remote end during TCP setup as an option to an opening SYN packet. The SACK option permits selective acknowledgment of permitted data. The default TCP acknowledgment behavior is to acknowledge the highest sequence number of in-order bytes. This default behavior is prone to cause unnecessary retransmission of data, which can exacerbate a congestion condition that may have been the cause of the original packet loss. A packet capture on…

Checkpoint: Change the Default Shell for “admin” in Gaia and SecurePlatform

CHECKPOINT Checkpoint: Change the Default Shell for “admin” in Gaia and SecurePlatform This article details how to change the default shell for both Gaia and SecurePlatform (SPlat) systems.SecurePlatform In SecurePlatform, all we need to do is log in to expert mode and use the change shell command – chsh: myfirewall > expert
Enter expert password:
myfirewall # chsh -s /bin/bash admin< Shell changed. This permanently changes the shell and will survive a reboot. Gaia The above will also work in Gaia but will not survive a reboot – the shell will default back to clish. Doing a “cat” on /etc/shells in expert mode will show you what is available: myfirewall> expert
Enter expert password: Warning! All configuration should be done through clish
You are in expert mode now. [Expert@myfirewall:0]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/scponly
/bin/tcsh
/bin/csh
/etc/cli.sh
[Expert@myfirewall:0]# To effect the change we use the “set user” command, in this example we will set it to the …

Security Advisory – New Ransomware Variant Locky 2017.docx

Criticality
High

Affected Versions/Systems/Devices
Windows

Affected Regions
Global


Detailed Summary:

It has been reported that a new wave of spam mails are circulating with common subject lines to spread variants of Locky ransomware. Reports indicate that over 23 million messages have been sent in this campaign. The messages contain common subjects like "please print", "documents", "photo", "Images", "scans" and "pictures". However, the subject texts may change in targeted spear phishing campaigns.
The messages contain "zip" attachments with Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader which polls to domain "greatesthits[dot]mygoldmusic[dot]com" (please do not visit this malicious website) to download variants of Locky.
The emails were botnet-based, and they came from various IP addresses around the world. The message-ID header was spoofed so that it ended with …