meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Stormcast, Jan 23, 2025: PFSync Protocol; Oracle CPU; Korean VPN Supply Chain Attack; Ivanti Guidance

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 22 January 2025

⏱️ 8 minutes

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS ISC Stormcast, Jan 23, 2025: PFSync Protocol; Oracle CPU; Korean VPN Supply Chain Attack; Ivanti Guidance

Transcript

Click on a timestamp to play from that location

0:00.9

Hello and welcome to the Thursday, January 23rd, 2025 edition of the Sands Internet Storm Center's Stormcast.

0:10.2

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

0:15.7

In diaries today, I wrote up a little bit an odd network protocol, PF Sync. PF. Sync comes

0:23.1

out of the OpenBSD project

0:24.9

and it's used in order to synchronize the state

0:28.7

between a primary and a secondary

0:31.0

firewall in order to allow for

0:33.7

failover. What this means is

0:36.7

that whenever there is a new session being established, using the primary

0:42.2

firewall that is communicated to the secondary firewall via this PF Sync protocol.

0:48.7

Now what makes it a little bit odd protocol, it is not sort of part of the normal IETF standard process. There is no RFC for it. It uses

0:58.8

the protocol number 240, which actually is just as unused in the IANA list of protocols. So,

1:09.5

there are not a ton of tools to really analyze these packets.

1:13.4

WireShark, for example, is this the version I use, which is a recent version, did not recognize

1:19.0

this protocol with TisB dump. It's a little bit hit and miss, depending on what version of

1:24.9

TisB dump you're running. The version of TZbdump usually coming with BSD are actually able to analyze PF Sync while

1:32.7

others mine, for example, here on the Mac, it's a little bit odd version anyway on the Mac,

1:38.6

does not analyze PF Sync.

1:42.1

The protocol is, however, interesting because it does include a lot of network information.

1:47.6

So from an offensive and defensive point of view, there's a lot of information that you

1:52.0

can learn from PFSync packets.

1:55.6

From a defense point of view, you also want to make sure that PF Sync is using a dedicated link between

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.