Tagged: Security
21 posts · browse all tags
-
Ansible Deep Dive Part 6: Variable Precedence and Ansible Vault — Secrets Done Right
Part 6: the full variable precedence ladder from role defaults to extra-vars, then Ansible Vault end to end — encrypting whole files and single strings, vault IDs for multiple secret tiers, and keeping vault passwords out of the repo entirely.
-
AI Part 8: Kali 2026.2's Nine New Tools, and the MCP Server With 150 More Behind It
Kali 2026.2 shipped nine new tools, one an AI CLI by default. I installed and ran every one I could in a rootless sandbox, then looked behind the curtain at a 17,000-line MCP server wrapping 150+ tools, and Kali's own local-LLM stack. No fabricated output.
-
Cilium: Kubernetes Networking and Security Built on eBPF
Cilium replaces iptables-based kube-proxy and overlay CNIs with eBPF programs on the kernel datapath. Connects back to namespaces, veth pairs, nftables, and eBPF/XDP, then covers identity-based network policy and Hubble observability.
-
AI Part 7: When an LLM Gets Nmap and Metasploit as Tools
I wired an LLM into nmap and Metasploit against a deliberately vulnerable lab. The exploit worked — a real, server-verified root shell — but the sharper finding was the models themselves: a 7B fabricated its tool output wholesale, an 8B mangled its arguments, and only a 32B drove the tools honestly. No fabricated transcripts — the model's included.
-
Nmap and the Scripting Engine: A Network Engineer's Field Guide to NSE
Nmap's scan engine and NSE scripting framework are as useful for firewall change validation and inventory work as for security assessments. Covers scan types, timing, NSE categories, writing a custom script, and practical recipes for network engineers.
-
strncpy Is Finally Gone: What Linux 7.2-rc1 Means for Kernel Security
Linus opened the 7.2 merge window and tagged 7.2-rc1 — and with it, strncpy() is finally gone from the kernel tree. Six years, 362 commits, 70 contributors. Here's what the function actually did wrong, why it took so long to kill, and why removal beats deprecation.
-
Chronos Keeps Time: Building an Enterprise-Grade NTP Service with chrony and Integrating it with FortiGate
Why we chose chrony over ntpd and timesyncd, what CIS and Fortinet hardening guides say about NTP, a full build walkthrough, the deny-all ordering mistake every network engineer will make, and how to generate NTP keys that FortiOS will actually accept.
-
Zero Trust Meets the Overlay: Converging ZTNA and SD-WAN on Fortinet
The capstone to the SD-WAN series: how Fortinet's ZTNA tags and access proxy let you fold per-application, identity-aware access control directly into the SD-WAN fabric — built on the RADIUS/TACACS AAA backend and the PKI you already stood up for IPsec.
-
spectre-meltdown-checker: Auditing CPU Vulnerability Mitigations on Linux
A deep dive into spectre-meltdown-checker — how it actually works under the hood, what it tells you that /sys/devices/system/cpu/vulnerabilities does not, the alternative tools (lscpu, vendor microcode checkers, in-tree kernel reporting), and when to reach for each one on a production Linux box.
-
Configuring RADIUS Admin Auth on FortiGate SD-WAN: RBAC and Three User Profiles (Part 2 of 2)
Part 2 of 2 on RADIUS for FortiGate SD-WAN. Walks through the FortiOS config end-to-end — RADIUS server entry, group-to-profile mapping via VSA, three worked RBAC examples (senior engineer, NOC operator, compliance auditor), and the verification commands you'll need.
-
NSE5 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a 10-part study series for the Fortinet NSE 5 / FCP FortiManager Administrator certification. Covers the exam logistics, the official curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
RADIUS vs TACACS+ on FortiGate SD-WAN: Choosing the Right AAA Backend (Part 1 of 2)
Part 1 of 2 on RADIUS for FortiGate SD-WAN. Covers the protocol differences vs TACACS+, the RADIUS server options worth knowing (NPS, FortiAuthenticator, FreeRADIUS, ISE, Okta, Duo, Entra), and when each protocol is the right call for FortiOS.
-
iptables to nftables: Migrating Production Firewalls Without Downtime
A working engineer's guide to moving from iptables to nftables on production Linux firewalls — the mental model shift, where iptables-translate misleads you, atomic ruleset swaps, and a clean rollback strategy that means a bad migration costs you seconds, not your weekend.
-
SSH Hardening Beyond the Basics: Certificate Authorities, Bastion Patterns, and Session Auditing
A production-grade SSH setup that goes beyond disabling password auth — running your own SSH CA with short-lived user and host certificates, ProxyJump bastions, ForceCommand restrictions, and recording sessions with tlog and auditd.
-
NSE4 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a study series for the Fortinet NSE 4 / FCP FortiGate Administrator certification. Covers exam logistics, the official 16-lesson curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE4 Part 2: Initial Configuration & the Security Fabric
Part 2 of the NSE4 study series — covers the day-one FortiGate configuration (interfaces, operation modes, admin access, DHCP, FortiGuard) and how the Security Fabric stitches multiple FortiGates and Fortinet products together.
-
NSE4 Part 3: Firewall Policies & NAT
Part 3 of the NSE4 study series — firewall policy structure, lookup order, NGFW modes, central vs policy NAT, source NAT pools, virtual IPs, and the session helpers behind protocol fixups.
-
NSE4 Part 4: Authentication, FSSO & Certificates
Part 4 of the NSE4 study series — local and remote authentication (LDAP, RADIUS), captive portal, Fortinet Single Sign-On (FSSO) modes, and certificate operations including SSL deep inspection.
-
NSE4 Part 5: Logging, Monitoring & Diagnostics
Part 5 of the NSE4 study series — log categories and severity, local vs remote storage, FortiAnalyzer and syslog forwarding, threat weight scoring, and the diagnostic commands you actually reach for under pressure.
-
NSE4 Part 7: SSL VPN
Part 7 of the NSE4 study series — SSL VPN modes (web, tunnel, full), portals, realms, MFA, split tunnelling and the diagnostic commands for tracking down a stuck client.
-
NSE4 Part 8: IPsec VPN
Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.