Categories
PGP

The great PGP tidy up of 2016

Since 2014 I have primarily been using 0x214d23787b90a5b2, this key is now being replaced.

My new key is: 0x0870cf04eb419147

This key replaces:

0x0870cf04eb419147 has been signed by all of the above keys.

Categories
Security

Welcome to the OneRNG

The importance of entropy often goes ignored, especially as you look at the cost of devices that provide entropy. A nice alternative to these is the OneRNG, previously on KickStarter and hopefully soon to be available for general purchase.

I backed the KickStarter campaign and my OneRNG and programmer arrived last week. Verification and installation was very simple, even when you take the slightly more paranoid approach than most.

I currently have the OneRNG connected to a KVM host, however I plan to move it to something else (perhaps a Raspberry Pi 2 or NUC), using Pollen and Pollinate to provide entropy to my internal hosts – perhaps with a few more OneRNGs thrown in for good measure.

You can read more about why entropy is important and how Pollen / Pollinate work here. You can also see the talk given by Jim Cheetham and Paul Campbell at Linux Conf 2015 on the OneRNG below:

Categories
Security

A valid reason not to broadcast an SSID

I never thought I would find a reason not to broadcast an SSID for a wireless network, alas I have.

Fortinet provide a number of Wireless devices designed for remote deployment (in particular the FAP-11C, FAP-14C and FAP-28C), these devices connect back to your Wireless Controller via a remote network such as one you would use in a hotel. The devices are intended for travelling and remote staff to use your corporate network as if they were in the office.

A handy feature of these devices is that they include multiple LAN ports (1, 4 and 8 respectively), which are particularly handy for VoIP phones and other network devices that you would rather not have on WiFi.

Unfortunately, Fortinet’s software currently only allows you to have these ports:

  1. Disconnected / None
  2. Bridged to the WAN Port
  3. NAT to the WAN Port
  4. Bridged to an SSID / Wireless Network

To get around this and prevent malicious users from connecting to what should be an internal network: Note – this section assumes your SSID / Network name is A_LAN_Network.

  • Create a local group that doesn’t contain any users: 
  • Configure the SSID WiFi Options: 
  • Hide the SSID – Unfortunately this has been removed from the GUI in FortiOS 5.2, use the commands below in the CLI:
    • config wireless-controller vap
      • edit A_LAN_Network
        • set broadcast-ssid disable
  • Apply the SSID to the LAN Port under the FortiAP Profile: 

Pictured above is the FortiAP Profile options for a FAP-11C. It should be noted that the FAP-14C puts all 4 LAN ports on the single selected option whereas the FAP-28C allows all 8 LAN ports to be placed on different SSIDs / Networks.