Thank you Jerry!

No worries! Thank you for your work Jerry

I am currently transitioning into a Security role at work. One question would be: what are the must-have tools for every blue team?

• Vuln-Scanner
• Logging/ SIEM-Server
• ...

Thank you for the AMA.

Do you regularly feel overwhelmed? - Keeping up with the sec news and patch accordingly, firewall/ips and endpoint alarms, logs, meetings, and more. It shouldn't be the case, but it seems that everything in security is prio 1.

EDIT: and being the party pooper and saying no to everything, bc people do not think about security.

I am currently trying to organize my notes. The old 'system' is a pain, and getting everything centralized makes it easier to find things. Notes, snippets, bookmarks, and so on.

I am certain that we block ICMP on multiple FW in between. I could allow it temporary and check. Good suggestion.

Valid question. We've checked it multiple times, on the client and via monitoring that it is 10 Mbits. Thank you.

Testing a few CTF platforms to learn more about pentesting. It is interesting, but the learning curve is quite steep.

It seems that I have to drive more often to the office again. Any bag recommendations? What is your favorite brand/ model?

Fairly new too - why wouldn't you be able to answer if the post is set to 'Undetermined'. Haven't had any issues yet.

Learning things about Wireguard and implement it to secure my internet facing servers.

Just ordered the Catalyst 26. Thanks again

Same here

Those bags are looking great! Having enough space for tools and a big water bottle. Cheers

Getting a pcap of another client could bring some insight, yeah.

SSH is used for the data transfer. Without knowing it at this moment, I'd assume scp or rsync. You mean whether all their internet traffic is routed through the active SSH session?

No worries, thank you for your input!

1. what logging/debugging would you activate for that case? - Not too familiar with Fortigate yet and would appreciate some tipps, IF you are familiar with those.
2. the IPSec tunnel is the only connection between these locations so it is rather difficult. But I get what you mean and check if there is another option.

Good points!

Added the Update 2. Still some things to do, but we know a little bit more now. Feedback and questions are still welcome.

Exactly what I do if it does not work. Create post, go back, block.

Not sure on the logging. I’m a data center guy and would rather see firewalls in the trash lol. They usually just cause problems.

Haha - I'd like to disagree, but you are right.

For the WAN, surely there is some way you can reach those sites over the general internet. You have ISP connections.

I for sure could do it, but it is not that easy to expose a server to the internet. There would be multiple departments involved and I need to get permission. And yeah, even with IP whitelisting. I guess that will be my last resort.

Still waiting for the test clients. Probably going to shift some hours into the weekend so I don't disturb daily business.

Ping - Update 2 @[email protected] @[email protected] @[email protected]

I hope it is ok to ping you.