Free Security books for Dummies, DDOS, NGFW, IPS and more... UPDATED

Currently, we can check that many manufacturers of security appliances are writing books "for dummies".  You can get them for free and you can download them in this post.

Notice these books are free because they want to sell you their products, obviously... But many of them are really interesting because they show you how working the Next Generation Firewalls, how the Modern Malware is evolutioning, how we can avoid attacks like Distributed Denials of Firewalls, etc...

I've created a recopilation of many of them...

Click on the pictures to download the books.  If some links are broken, please tell me.

Definitive Guide to Next-Generation Threat Protection FireEye

Intrusion Prevention Systems For Dummies Sourcefire

Oficial link


Modern Malware for Dummies by PaloAlto Networks

Oficial link


Next Generation Firewalls for Dummies by Palo Alto  Networks

Oficial link


UTM for Dummies by Fortinet

DDOS for dummies by Corero

Oficial link


Network Security in Virtualized Data Centers by PaloAlto Networks

Oficial link

Read More

Large increase in the traffic log after upgrading to FortiOS 4.0 MR3

If you recently have upgraded your Fortigate Firewall to FortiOS 4.0 MR3 perhaps you have noticed an increase in the traffic log.

FortiOS 4.0 MR3 has the value of extended-traffic-log enabled by default instead of previous versions where this value was disabled by default.

If you want to disabled this new default option, here you have the commands:

• config log [memory|disk|fortianalyzer|...] 
• filter set extended-traffic-log [enable|disable]

What does the log filter setting "other-traffic" display?

Read More

HA on Fortinet Fortigate Firewalls: Commands to keep in mind

When you build a Firewall in High Availability you need to be sure if the cluster's members are totally synchronized.

I am going to give you some commands in order to change the CLI session between the members for checking your HA.

First of all you need to watch how many members there are. If you have an active-pasive cluster, you need to know who is the master member. For this, you need to execute: # get system ha status

Then you need to know the vdoms and all configuration hashes. For this, you can execute: # get system checksum status
 

You need to compare the hashes between the members. It's a requirement to be the same. You change to another members executing:   
# execute ha manage 1

Finnaly you compare the hashes: # get system checksum status

If the hashes are the same, your cluster is ok, if not, you need to solve the problem because one or more the cluster's members are misconfigured.

Read More

Deleting old policy rules on Fortinet Fortigate Firewalls

Some times, firewall security administrators have told me... "I have a lot of policy rules on my firewall, how can I discover unused policy rules?" or "I just created a new policy rule, how can I know if this rule has been matching?

With Fortinet Firewalls is really easy to do.

First of all you need to add  a new column in Policy -> Policy section.

It's necessary to add Count option to the right field.

 

Finally, you will see if the rule was matched or not and how many packets and Megabytes cross through the policy rule.

The counters of all policy rules are set to "0 packets/0 B" when the firewall is rebooted. If the last time that you have rebooted your firewall was one year ago and you have policy rules with "0 packets/0 B", maybe this rules are unnecessary.

Also you can set to 0 the counter of a policy rule manually if you you right-click on the policy and select "Clear Counters".

Read More

Configuring DHCPv6 on Fortinet Fortigate Firewalls

Last week I had to configure a Fortigate with IPv6. Also the firewall was needed to works as DHCPv6 Server.

Within two weeks, we will have around 200-300 network administrators in a conference room connected by WIFI. We want this users only get IPv6 addresses. So, if the network administrators haven't just implemented the IPv6 in their remote networks, they will not be able to connect to them. We want they to keep in mind the importance of IPv6 in the near future.

The next configuration is running on the v5.0.2 Fortigate firmware version. This version is only recommended for testing propourses. I recommend you the v4.3.10 firmware version. In this case we want to test the last firmware version in an "production environment" too.

How to configure the external Interface:

config system interface
    edit "wan1"
        set alias "External"
            config ipv6
                set ip6-address xxxx:xxx:xxx:113::2/64
                set ip6-allowaccess ping
                set ip6-manage-flag enable
                set ip6-other-flag enable
            end
    next


How to configure the static6 route:
 
config router static6
    edit 1
        set device "wan1"
        set gateway xxxx:xxx:xxx:113::1
    next
end

Read More

Choosing hardware-based firewall

In this post, we'll try to identify what are the main features need to be analyzed before buying an Enterprise Network.

Very often I hear some things like... "What's the best firewall in the market?" What Firewall should I buy for my Company?" 

The answer is: "Depend on what type of network you need to protect"

It's not the same a network with 100 users than other critical and redundant network with 50,000 users and 300 servers...

In my opinion these are the essential question you need to thinking about.

Features

• How many maximum firewall concurrent sessions are need it?
• How many firewall new sessions per second do you have in your network?
• How many firewall throughput do you need?
• How many VPN tunnels and VPN Troughput do you need?
• What VPN protocols do you want to use (IPSec, L2TP, PPTP)
• Do you require high availability (load balancing, failover)?
• Do you need cobber, fiber, 10-100-1000-10000 Mbps interfaces?
• Are you currently using IPv6 o it will be implemented in the future?
• How many concurrent session and throughput will you need in the future?

Be careful when calculating the throughput. Throughput is the average rate of successful message delivery over all your network interfaces, not only on the Internet connections.
Commonly, throughput is calculated by the manufacturers in a Lab with a certain packet sizes and not in a real World

Today, Firewalls has extra features to keep in mind.

• Control Application
• Antivirus
• IDS/IPS
• AntiSpam
• URL Filtering
• SSL decryption
• Date Loss Prevention
• DHCP
• Bandwidth Management
• Wan Optimization
• Web Cache
• Proxy
• ...

Read More

Trying Avoid callbacks to a Botnet using Fortinet Fortigate Firewalls

Some months ago, Fortinet published a new list of Botnets Applications supported.

Frequently, more and more infected hosts are including in Botnets Networks. Fortinet has developed a new application's signatures in order to trying to avoid that the infected PCs (called Zombies) contact with the Command & Control Server.

Today, this is the known botnet list by Fortigate:

Agobot.Phatbot, Asprox, BlackEnergy, Bredolab, CMultiLoader, Chapro, Citadel, Cridex, DHL, Danmec.Asprox, Darkness, Dexter, DirtJumper , DistTrack, Duqu, ET, Eleonore.Web.Exploit, FakeSkype, Festi, Flame, Gbot, Gootkit, Gozi, Gumblar, Hiloti, IRC, Illusion, Imrabot, Jeefosance , Katusha, Koobface, LOIC, LOIC.IRC, Lethic , LoL, MacOS.Flashback, MachBot, Mariposa, MoneyBack, Morto, Murofet.CC, Night.Dragon, Pbbot, Phatbot , Pushdo, Qakbot, Ramnit, SDBot , SSHDkit Botnet, Sasfis, Sisron, Smoke, SpyEye, Storm.Krackin, Storm.Worm, T3C4I3, Tedroo, Torpig.Mebroot, Ursnif, VBCF, VertexNet, Vilsel, Virut, Vundo, Waledac, Webwail.Audio.Captcha, Yahoo.Messenger.Worm, Zeroaccess, Zeus

How can we avoid that with Fortigate Firewalls?

First of all, you need to create an Application Sensor in UTM Profiles. We named the Sensor "Botnet":

Read More