CyberFlood is Spirent’s next-generation GUI for Security and Performance Testing. If you need to test a Firewall, Next-Gen (NGFW) or not, this is the tool you need. The Controller is a Virtual Machine that you deploy and that allows you to configure and run your tests, manage your load generators (whether they are appliances or virtual endpoints), regroup your test results, and so on and so forth.
In this article we’ll see how to deploy the Controller on an ESXi 6.0 host. It’s not the latest ESXi version available today, but that’s what I have. ESXi 6.5 doesn’t change much in the way to deploy the controller except that VMware interface is in HTML. But the important stuff doesn’t change. Continue reading
Probably because everything needs to be complicated in cryptography, OpenSSL (and compatible APIs and products) have two sets of Cipher Suite names : Long-Name Format and Short-Name Format. Another way to look at it is that long form names are the most technically accurate ones while short form are just more practical – especially if you try to fit them in a UI. Just to prove my point, the table below breaks the layout of this website a little bit 🙂
And this is what we do in Avalanche and CyberFlood: we show the Short-Name Format. The table below shows a mapping between Long and Short Name formats. This is directly taken from our documentation, and I might forget to keep this up to date. For reference, the Knowledge Base article this is taken from is available on Spirent Support Website (login required).
I was recently made aware of a nifty project called Pi-Hole. Besides having one of the best project name ever, it’s just a brilliant idea. What PH does is black hole Fully-Qualified Domain Names (FQDN) known for serving advertisement but also used for user-tracking or “telemetry”. Like for instance what Microsoft does with Windows 10 – I don’t want to single them out, they’re hardly the only ones doing this. And the data they get is probably very useful to develop the product. This post is not about the merits of advertisement or user-tracking.
A few years ago I wrote an article on how to test IPSEC on a Fortigate using Avalanche. But the article is largely outdated and only covers Preshared Key Authentication. It so happens that I recently needed to configure a similar test, except this time the authentication mechanism had to be Digital (RSA) Certificates. So let’s get to it.
Let’s recap what we have:
- Load Generator is a Spirent Avalanche C100-S3 running version 4.75.
- DUT is a Fortigate 1500D running FortiOS 5.2.2 (I know it’s not the latest version, but it’s the one I have)
- Devices are connected through a MRV switch and a Velocity topology using 2x 10GbE fibre.
- IPSEC in Tunnel mode
- Digital Certificate Authentication
- Phase 1: IKEv1, DH-Group 14, AES-256 encryption and SHA-256 hash, Aggressive Mode
- Phase 2: AES-256 and SHA-256 no need for PFS (customer’s requirement; Avalanche supports P2 PFS just fine).
Backup (and Backup Management) is a Big Deal and should not be taken lightly.
There are many paid-for solution of various qualities. There are also various backup strategies. I won’t cover those but I’ll just say that you should have both an on-site and an off-site solution. On-site for frequent backups (and high-speed transfers) and off-site in case, you know, your site burns down (or, less dramatically, if somebody steals your backup drive). In all cases the data should be encrypted even before the transfer with a key known only to you.
For my off-site solution I use an external drive where I backup the files monthly and hand it over to a friend but, while one of the best solution, it’s a little bit of a hassle. So instead I wanted to backup into the proverbial Cloud and started looking for programs (free and/or open source but also paid for). I tried those:
- S3 Backup: AWS kept returning an error message with regards to the Cipher Suite used. I couldn’t start any back up.
- Cloud Berry: Great features and reasonable price ($30) but horrible UI and it didn’t seem to run in the background at all, or be able to stick to the tray, so no go.
- Arq: Looks horrible especially for the price they ask ($50)
- Duplicati: Tried the 2.0 beta and kept running into errors. That’s expected from a beta but I wanted a stable solution.
- Carbonite: It ignored my audio files and was generally too picky with which files it accepted to back up. I couldn’t find a way to specify “grab everything” so I didn’t like that.
- restic: The one I picked.
Harhar uses several open source libraries (JSON.NET, NodaTime and HarNet) and was provided for free (as in “free beer”). I have uploaded the Harhar source code on Github so it is now a free (as in “free speech”) and open source software!
I don’t expect thousand of pull requests but I thought maybe it could help people to integrate it in their own automation systems, or maybe convert it to another programming language (Harhar is written in C# but is fully compatible with Linux and MacOS through Mono).
I’ll also be using Github to track issues and features requests so if you find any bug with it, please use that platform. I will try to convert the application note as a proper documentation (also on Github) and use AppVeyor to automate the publication of binaries.
The Avalanche product comes with a fully-featured TCL API for several operating systems: Windows, Linux and FreeBSD. Coupled with the “GUI to TCL” feature of the Windows thick client (Avalanche Commander) it’s a very powerful automation tool. The typical use case is “write a test case in the GUI, export it to TCL and execute it from a Linux Virtual Machine” (through a cron task for instance or a Continuous Integration process). This article provides a step-by-step guide on how to do just that on CentOS/RHEL 6.x.