Clik here to view.
True Random PSK Generator on a Raspi
In my previous blogpost I talked about the true random number generator (TRNG) within the Raspberry Pi. Now I am using it for a small online pre-shared key (PSK) generator at https://random.weberlab.de...
View ArticleClik here to view.
Discovering Policy-Based Routes with Layer 4 Traceroutes (LFT)
I already published a few examples how you can use layer four traceroutes in order to pass firewall policies that block ping but allow some well-known ports such as 80 or 443. Long story short: Using...
View ArticleClik here to view.
Palo Alto Application: First Packets Will Pass!
I am using an almost hidden FTP server in my DMZ behind a Palo Alto Networks firewall. FTP is only allowed from a few static IP addresses, hence no brute-force attacks on my server. Furthermore, I have...
View ArticleClik here to view.
FortiGate Out-of-Band Management
In some situations you want to manage your firewall only from a dedicated management network and not through any of the data interfaces. For example, when you’re running an internal data center with no...
View ArticleClik here to view.
Route- vs. Policy-Based VPN Tunnels
There are two methods of site-to-site VPN tunnels: route-based and policy-based. While some of you may already be familiar with this, some may have never heard of it. Some firewalls only implement one...
View ArticleClik here to view.
Passwords vs. Private Keys
It is widely believed that public/private keys or certificates are “more secure” than passwords. E.g., an SSH login via key rather than using a password. Or a site-to-site VPN with certificate...
View ArticleClik here to view.
IPv6 Upper Layer Protocol Samples
Some time ago I published a pcap that can be used to study basic IPv6 protocol messages such as ICMPv6 for Router Advertisements, Neighbor Solicitations, etc.: “Basic IPv6 Messages: Wireshark Capture“....
View ArticleClik here to view.
IPv6 Renumbering: A Pain in the …
If you’re following my blog you probably know that I am using IPv6 everywhere. Everything in my lab is dual-stacked if not already IPv6-only. Great so far. A few months ago my lab moved to another ISP...
View ArticleClik here to view.
IPv6 Interface ID Structure
While there are many approaches on how to structure your IPv6 prefix into /64 subnets (blogposts, books, talks) there are only a few hints what you can do with the other 64 bits of the addresses,...
View ArticleClik here to view.
2001:db8::/32 in the Wild
If you have ever read some docs or RFCs about IPv6 you should be quite familiar with the [crayon-5ba3fba0b646e759531599-i/] “IPv6 Address Prefix Reserved for Documentation”, RFC 3849. This RFC clearly...
View ArticleClik here to view.
Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet
While playing around in my lab learning BGP I configured iBGP with Multiprotocol Extensions (exchanging routing information for IPv6 and legacy IP) between two Cisco routers, a Palo Alto Networks...
View ArticleClik here to view.
MP-BGP Capture
For those who are interested in analyzing basic BGP messages: I have a trace file for you. ;) It consists of two session establishments as I cleared the complete BGP session on two involved routers for...
View ArticleClik here to view.
OSPFv2 Capture
I already had an OSPFv2 for IPv4 lab on my blog. However, I missed capturing a pcap file in order to publish it. So, here it is. Feel free to have a look at another small lab with three Cisco routers...
View ArticleClik here to view.
OSPFv3 with IPsec Authentication
Here comes a small lab consisting of three Cisco routers in which I used OSPFv3 for IPv6 with IPsec authentication. I am listing the configuration commands and some show commands. Furthermore, I am...
View ArticleClik here to view.
Dual-Stack EIGRP Lab
Yet another routing protocol I played with in my lab. ;) This time: EIGRP, Enhanced Interior Gateway Routing Protocol, the proprietary distance-vector routing protocol developed by Cisco, which is now...
View ArticleClik here to view.
EIGRP Capture
And again: Here comes a pcapng capture taken for the dynamic routing protocol EIGRP. If you want to dig into EIGRP messages, download the trace file and browse around it with Wireshark. Since I used...
View ArticleClik here to view.
Using Cisco’s IOS Archive
Cisco’s IOS offers an easy to use feature for configuration versioning to an external server such as TFTP or SCP. Furthermore, you can use IOS commands to compare any two snapshots and to roll back to...
View ArticleClik here to view.
My CCNP TSHOOT Lab: The Overall Picture
During the last few weeks I published a couple of blogposts concerning routing protocols such as BGP, OSPFv3, and EIGRP. (Use the “Cisco Router” tag on my blog to list all of them.) They are all part...
View ArticleClik here to view.
SharkFest’18 Europe: Crash Course: IPv6 and Network Protocols
I did a session at SharkFest’18 Europe in Vienna with the title of “Crash Course: IPv6 and Network Protocols“. Since the presentation slides + audio were recorded you can listen to the talk, too. Here...
View ArticleClik here to view.
Trying to change an IPv6 Link-Local Address on a FortiGate
I got an email where someone asked whether I know how to change the link-local IPv6 addresses on a FortiGate similar to any other network/firewall devices. He could not find anything about this on the...
View Article