I have a T70 device I'd like connect up via BOVPN with a XTM2 device (with wireless) at a home office location.  In front of the XTM2 I will have an AT&T uverse router in bridged mode.

I'd like all of the data from one port on the xtm2 to go back and forth over the BOVPN.  I'd like all of the wireless traffic to travel out to the internet.  

Can someone please tell me if this is possible and point me in the right direction for accomplishing this?   I've setup BOVPN's between two devices before but it was moving all traffic between both devices and I need to keep the wireless (home users) traffic off the VPN.

Attached is an SSL scan report (by Qualys) of 2 portals:

a) will such deficiencies flagged by Qualys be flagged by a blackbox pentest as well (tester is using Nessus Tenable)?

b) for the items highlighted in yellow, if we place a WAF & CDN in front of the portal, can the items be remediated?
    I heard F5 WAF could 'block' off SSLv3, TLS1.0 & 1.1 as a way of mitigating but what about the weak ciphers etc?

Have a Checkpoint NIDS as well if this is of any help.


We can obtain a fresh cert if needed  but concerns are:
a) we don't plan to change the A10 loadbalancer (that's used for the 2 portals): understand a number of what's flagged is due to this A10 LB
b) the applications team can't amend the codes within the short term (but we have only a couple months to remediate)
SSLabscanJ2.docx

One of the monthly IT Security metrics in my previous place is
to show  # of 'High' DDoS alerts for the month (leaving out the
Med & Low ones), extracted from Arbor Peakflow of cleanpipe.

Attached is how one such extraction looks like: basically we'll
count the # of 'High' alerts.

In new place, question was raised how this data can be useful
as IT Security metric.

My guess is Audit wants to see a trend (of 6-12 months) of the
# of 'High' alerts for DDoS: if it's always about the same, no
alarm but, say for a particular month, it triples, it's a concern?

Anyone has any clue how this data (or any other Peakflows'
data) could be useful for presentation to serve as IT Security
metrics?

Anyone has any Application DDoS security metrics that could
be useful as IT Security metrics?
DDoS.jpg

If the last security policy in a zone pair on a Juniper SRX is a permit - is traffic between those zones still DENIED by default?
e.g. if the policy below was the last and only policy for the zone-pair - would all other traffic between those zones get denied?
-
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match source-address td-edgenode01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match destination-address felinni01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-21300
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-22217
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 then permit

We are considering Splunk, ELK or Apache Metro Hadoop  for SIEM.

Q1:
I've encountered nightmares with a top-end SIEM in the past when
querying/retrieving data : takes days & even crash : which of the
above has excellent super-speed log management & querying?

Q2:
I was told by an ex-colleague that Arcsight/Splunk requires CEF
(Common Event Format or syslog format) to be piped to them
as they can't accept any other format.  A vendor using QRadar
told me QRadar requires syslog/CEF format inputs too.
I've SNMP traps / MIBS events (eg: from Cisco & proprietary
devices) that my ex-colleague told me can't be accepted by
Splunk/Arcsight, so would like to know if any of the 3 above
tools are more readily able to accept other SNMP/other
event formats

Q3:
Heard that ELK lacks policies which in the long run will be
costlier if we get consultants to customize : do the other
2 products have this concern.  
Also, Splunk Enterprise goes by amount of logs & we're
concerned that too much logs (can be 500MB/month)
 will make the cost high:  weighing between customization
/set-up PS efforts & licensing costs based on amount of
logs (which I guess we can archive off older logs to reduce
the license cost), which of the 3 are more cost-effective?

what are some of the small business routers that will be recommended to come with guest wifi, vpn plus range of security features?

Our users are MFA'd but Azure reports: "Sign-ins from IP addresses that are anonymous, such as Tor IP addresses."

How is that possible?

I have 3 different users reporting this for location = Chelsea, NY, USA

YIKES!!!

Q1:
If we don't subscribe to among the lowest-end  O356 Exchange Online,
how can we further secure our email defenses (if we don't purchase
filtering tools like IronPort & Proofpoint)?

Q2:
I've heard in Postfix forum that they link Postfix server to SpamHaus,
CBL (pls suggest more free Site Reputation services for emails):    can
 Exchange Online implement this?  Can we integrate with Virustotal?

Q3:
Based on threat intels we get, can we add the hashes into our NIDS
CHeckpoint (assuming email payloads pass through it or in practice
people don't do this?) or Exchange Online??

Q4:
Will hardening our Outlook client, MS Office, Pdf reader (& all the
'Mobile Codes' softwares) help?

Hi All,

I am using XTM 26 series watch guard firewall in the company. We have some remote location offices are running independently and they all have CCTV camera is installed. Now when I am trying to access all remote offices camera (P2P Connection) using company network, it is not connecting at all. While, I am switch to mobile network, I can see all the cameras of all offices and vice-versa.

I understand that, firewall is blocking something. To check it, I did some real time monitoring and I have found the following log message

2018-10-04 14:54:07 Deny 192.168.1.28 255.255.255.255 32761/udp 50222 32761 1-Trusted Firebox Denied 80 64 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"

I already have created SNAT rule from any-external to internal DVR IP address and allowed the ports 80,32761,9000

Can anyone tell me that, What i am missing here.

Hi Experts
I am planing to study the information security, I am working in the IT field long time ago
But I do not know any courses i can start by.  some of them told me that CEH is perfect and other told me  to CEH it is useless
please advice me

Need to block network users from being able to access BitTorrent (BMTORRENT).   I have a Sonicwall TZ-215 along with the premium content filtering.  I can block the URL of the usage, but can not determined the proper ports to target the service to block.  

Goal is to not have to upgrade to the "Application Control" that can detect the signature of the traffic or such.  I am fine with blocking the defaults or making more difficult for the person.  I understand that they could use other methods to avoid detection.

We have deployed On-premises MFA server in the customer RDS environment.
The two factor is working perfectly when login in to the MFA user portal or using RDP icon downloaded from the rdweb site. But MAC users and Windows 10 users with the new Remote desktop APP are prompt twice for two factor. I suppose it’s because it connects to the RD Gateway in a different way than mstsc does.
I have tried to activate caching rules in the Azure portal. But I’m not sure if this will have any effect since we have installed the MFA server locally. Anyway, this have no effect on the issue.
We first tested with Duo two factor and also with this software users on Mac and Windows 10 app where prompt twice for the two factor.
Please advise.

To protect our corporate users from being compromised when they
connect to outside Wifi (which may be potentially rogue Wifi), is it
feasible if we implement MS Direct Access or Always-On-VPN?

https://technet.microsoft.com/en-us/library/dd759144(v=ws.11).aspx
https://directaccess.richardhicks.com/tag/directaccess-alternatives/

The products above would establish a tunnel so the rogue Wifi can't
steal credentials nor data & with VPN established, I suppose malwares
can't infect the laptops as the rogue Wifi has no connection to the laptop
(tunnel-protected) or did I get this idea wrong ie can still get infected
even with such tunnel??

We still want the users to be able to access Internet but protect them
in the event they're using a rogue Wifi