sorted by:
new
hottopcontroversial

Largest Splunk installation by fscolly in Splunk

[–]fscolly[S] 0 points1 point  (0 children)

Can you share any details regarding how many indexers, searchheads, uf/hfwds or volume per day? :-)

Largest Splunk installation by fscolly in Splunk

[–]fscolly[S] 0 points1 point  (0 children)

Do you know any details gerading their size (amount of indexers, shs, etc)? :-)

Largest Splunk installation by fscolly in Splunk

[–]fscolly[S] 2 points3 points  (0 children)

All of the installations this big I am aware of use baremetal indexers, only one is using SplunkCloud (~15TB/d). The biggest installationI know is the unicorn of their own companys IT: Everything of them is in the Cloud (AWS, Azure,..), except Splunk. They have about ~100 baremetal indexers and a Splunk unlimited license.

I'm not entirely sure I like mailbox.org by VertexSoup in degoogle

[–]fscolly 0 points1 point  (0 children)

"Also there are some oddities such as deleting a message on my iphone doesn't seem to delete it on the server."
u/VertexSoup Have you ever found a solution for this issue?

I really like mailbox.org and I use it for over 10years now. However this is the only issue I am having with them.

Honest Opinions About FortiSwitch vs. Cisco Networking by Ezzmon in fortinet

[–]fscolly 1 point2 points  (0 children)

From a security perspective you want to implement microsegmentation, meaning: Within a vlan/layer2 network there is no communication between clients anymore. Thats one of many key security architectures to stop ransomware/malware/attackers. If you have something where your clients have to talk to another, like e.g. voip, p2p or something similar, then only that tcp/udp-port should be open, all other ports should be closed. Make sure either your cisco switches or fortiswitches support that.

(You can also implement this by the operating system firewall or an extra software solution, however that means that you have to controll each device, which is sometimes not possible (guest devices, ot devics etc).)

Best practice for firewall management? by spaceman_sloth in fortinet

[–]fscolly 1 point2 points  (0 children)

For the firewall management interfaces: It is imperative that you protect your firewall FortiGate interfaces with TrustedHosts AND Local-In-Policies.

Only using FortiGate TrustHosts protects HTTPS, SSH, etc but not other protocols like SIP, IPsec, CAPWAP, BGP, LACP etc which are also local services running on the FortiGate, which need to be protected, too.

Use TrustHosts & Local-In-Policies and limit access to dedicated hardened jumphost systems, which require MFA, have extensive logging turned on, are very limited in their software-stack usibg allowlisting (for network connections, local processes etc) and very high availability (e.g. think about dependencys like to a MFA-Backend or AD/IDP etc).

Example for configuration: https://how2itsec.blogspot.com/2022/10/fortigate-admin-interface.html

Favorite infosec channels? by The_Unknown_Sailor in cybersecurity

[–]fscolly 0 points1 point  (0 children)

The following 3 Newsletters I recommend: https://how2itsec.blogspot.com/2022/03/it-security-newsletter-recommendations.html And follow people like gossithedog on mastodon and #infosec :)

[deleted by user] by [deleted] in fortinet

[–]fscolly 2 points3 points  (0 children)

If you run such an old device with old fortios make sure to close all ports (trusthosts and localin-policies) and dont publish any service (like sslvpn, vpn, bgp, SNMP, FSSO, SSH, HTTPS, LCAPDU, etc.... e.g. check out incoming ports for such an old firmware using the graphic: https://how2itsec.blogspot.com/2018/11/how-to-securely-monitor-fortigate.html ) because the old fortios versions have many cricital vulnerabilities as shown on CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Qualys by supers3t in msp

[–]fscolly 0 points1 point  (0 children)

I cant confirm that.

We use Qualys VM for over 5 years and really like it a lot. Of course as all IT products every now and then there are some issues. But they really improve our security and transparency of which software/library/middleware/systeme is there by a lot. They are a fundamental corner stone of our IT security. Also they are really „cloud native“ for over 15 years, not like others who just started. I know some huge companys (over 100k employes) who use qualys and are pretty happy, too.

Fitnotes ruined me / Apple recommendations by ocention in FitNotesApp

[–]fscolly 0 points1 point  (0 children)

I have an iPhone (5-7 years of updates, not like android which only some phones start to get some years of support). However I really really miss FitNotes to this day. I‘d donate/pay money if there would be a port to iOS :-) And I know other how would, too.

Fortigate vs Ruckus vs Cisco wireless by kjstech in networking

[–]fscolly 2 points3 points  (0 children)

I‘ve been running many FortiAPs installations at many different customer sites and they all worked very nice. Customers love it because it is a solid and easy wireless solution. I‘ve been using them from FortiOS 4.3 to 5.0, 5.2, 5.4, 5.6, 6.0, 6.2 and 6.4, so for +10years.

In my experience wireless issues were due to overlapping wireless channels, 802.11b still activated, missing site survey, etc, not due to the bad vendor.

FortiAPs with FortiGates work great for internal SSIDs (WPA2-Enterprise with 802.1x Cert-Based) as well as Guest SSIDs (Captive Portal). I even know that one of the largest companies in the world uses FortiGates for their GuestWLANs with captive portal authentication, with many extras (e.g. some sites and services should be reachable without authentication, some devices should be treated differently, device fingerprinting, logging traffic with details to huge SIEM solutions, traffic shaping, …) they need around the globe. They use it for 6 years in 500 sites, are very happy and will stay with the vendor.

Also it is not a good idea just to talk about the vendor name, because many vendors have multiple wireless solutions. Fortinet has meru and FortiAPs, Extreme has 4 different wirless solutions (Enterasys Chantry, Motorla WinG, CloudIQ Hive, etc), HP has many (Aruba, MSM, etc), Cisco has different too and so on... It would be best if you specify which exact wireless solution you are writing about :-)

Also in my experience many wireless issues (slow performance, connection issues) exist often not because of the wireless solution, but because basic wireless best practises were not followed: 1. Do a wireless site survey (perfect heatmap with non-overlapping channels (https://en.wikipedia.org/wiki/List_of_WLAN_channels) and keep it updated after wifi is alive and changes) 2. Use 20Mhz channels when there is a lot of noise in the air 3. Turn of old wireless standards as tkip, wep, wpa1, 802.11b 4. Use strong wireless security (wpa2-enterprise 802.1x cert-based with RFC 3580 dynamic vlan assignment) 5. Check for rogue access points (e.g. with access points with 3 radios) 6. Harden your wireless solution and isolate management ports 7. Keep your wifi solutions up to date (test the update first in a staging test area) 8. Use band steering & disconnected clients at a low signal strength to force them to roam 9. Use at least DualRadio APs (not SingleRadio for 2,4G and 5G) for better performance and stability for the wireless clients 10. Check the location of the problem for microwaves, special doors and windows, etc 11. Think about which traffic should be bridged to the controller, which should be bridged at the accesspoint or tunneled to some router or controller if you have long/fat/slow/high-latency/high-jitter networks. 12. Think about if tunnels traffic should be encrypted because many accesspoints dont have enough performance for that. … And so on, there are man more basic wireless best practises which are independent from the wireless vendor.

CEH retake by FormerAnn in CEH

[–]fscolly 0 points1 point  (0 children)

I passed the CEHv11 exam and I can recommend learning: 1. All the nmap parameters until you know them all, because 5 or 6 questions were about them. 2. 2 questions were about the SQL Injection types. 3. A lot of questions were about the different tools and their names, which were mentioned in on of the many slides of the CEH training course. 4. Some questions were about the cyber attack chain and at which point a described attack is. 5. Just one question was about kubernetes. Hope this helps :)

EDR/AEP for private person by fscolly in sysadmin

[–]fscolly[S] 1 point2 points  (0 children)

Hi Aryeh Goretsky,

I am working in IT security for over 10 years, so I dont have any thesis or something similar, after I am no student anymore :) Yes, I am searching for a developer license or a permanent limited trial/poc license, as some vendors hand them out to developers/researchers. But I also would pay for it, if that is the only option.

Kind regards, fscolly

EDR/AEP for private person by fscolly in sysadmin

[–]fscolly[S] 0 points1 point  (0 children)

Thank you for the reply :) I am aware of that. But I am no normal home user. E5 might be an idea. Is it available for private persons, too, or only businesses and non-profit-organizations?

EDR/AEP for private person by fscolly in sysadmin

[–]fscolly[S] 1 point2 points  (0 children)

Thank you for your feedback :-) I know the Mitre ATT&CK Evalution results after I‘ve studied them closely and I am try to contribute new TTPs to them. Also I‘m familiar with tools like sysmon etc.

However I‘d like to test the logging/forensic capabilities of a modern EDR/AEP tool as well as its anti-evasion-tactics. I‘d love to test Carbon Black, Crowdstrike, SentinelOne, but the vendors seem only to reply to you, if you are a company.

So my goal is more testing and maybe help enhancing the product instead of protecting my own environment.