I-BLOG

Got a question on this one in my comments page and hence thought of putting it together. Say there is a PPTP server residing on the trust side of your NS firewall (applicable to all/most of the NS firewalls running Screen OS). For simplicity, assuming that the device is in NAT mode and you want to allow connections coming from internet for PPTP VPN, follow the steps here;

First create a custom service to address the PPTP requirement (This is Microsoft windows specific);

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048

set service CustomPPTP + tcp src 0-65535 dst 1723-1723

The first line above creates a custom service named “CustomPPTP” with protocol number 47 (GRE) with source/destination port as 2048.

The second line adds to the same service for PPTP (port 1723 TCP).

Then the next step would be to NAT the internal PPTP server to publically accessible server using a public ip address. Here we’d use the same address assigned on the untrust interface (single public ip available scenario);

set vip multi-port

set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10

The first line above states that it is a multi-port VIP. Normally a VIP listens only on a single port, if a single ip address is used and you want to have multiple ports forwarded, multi-port VIP is needed.

The second line above sets a VIP for port 2048 for the internal server (PPTP Server) 10.1.1.10 (assuming the ip of the internal PPTP server to be this).

almost done; the only thing pending is a policy to allow traffic to pass through this condition;

set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit

The above policy allows any machine from untrust zone (internet) to connect to VIP address (trust zone) for the service “CustomPPTP”.

Just save the configuration and you should have it working just fine…

Juniper KB Link

Continuation to the last post of MPF on Cisco ASA series, Juniper’s nextGen firewalls (SRX series that run JunOS software) can also be used for blocking unwanted sites. While SRX supports integration to SurfControl/WebSense etc, this post is more focused on the inbuilt capabilities just like what Cisco’s ASA had.

UTM feature (Unified Threat Management) is integrated into SRX devices. So in order to block a site(s);

1. First create a custom block lists to contain the websites that you want to block.

custom-objects {
    url-pattern {
            badsite {
                    value www.facebook.com;
            }
            addictivesite {
                            value www.twitter.com;
            }
}
    custom-url-category {
        bad-sites {
            value [ addictivesite badsite ];
        }
    }
}

As you can see, the custom URL category block list above contains the site ‘www.facebook.com’ and ‘www.twitter.com’ and based on the preferences time-eating sites like facebook/twitter/myspace etc can be used in here. Again, the advantage is that it doesn’t deal with ip addresses and hence very effective how many ever servers are hosted around the world.

2. Then create a web filtering policy to allow the traffic after screening the type/site to which the traffic is going to, as below;

policies {
    from-zone trust to-zone untrust {
        policy utm {
                match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
        then {
                permit {
                    application-services {
                                            utm-policy wf-block-specfic-categories;
                                        }
                        }
                    }
                }
            }
        }
utm {
    feature-profile {
        web-filtering {
            url-blacklist bad-sites; #This causes sites in the bad-sites category to be blocked

utm-policy wf-block-specfic-categories {
    web-filtering {
        http-profile block-selected-sites;
                }
        }
}

Along with this, SRX also supports usage of ‘Custom Block Messages’ and also make this time bound. Say if you don’t want to block it completely but just block it during business hours that is possible too by scheduling policies.

Configuring SSG-5 wireless is a breeze really. The only commands needed here are listed as below;

Assuming that your wireless network is your trusted network and you want to have this network use untrust ip address to be used (natted) while going to internet or other networks.

   1: set interface "wireless0/0" zone "Trust"

   2: set interface wireless0/0 ip 192.168.2.1/24

   3: set interface wireless0/0 nat

   4: set interface wireless0/0 ip manageable

   5: set interface wireless0/0 dhcp server service

   6: set interface wireless0/0 dhcp server auto

   7: set interface wireless0/0 dhcp server option gateway 192.168.2.1

   8: set interface wireless0/0 dhcp server option netmask 255.255.255.0

   9: set interface wireless0/0 dhcp server option domainname mycompany.com

  10: set interface wireless0/0 dhcp server option dns1 192.168.20.20

  11: set interface wireless0/0 dhcp server option dns2 192.168.128.50

  12: set interface wireless0/0 dhcp server ip 192.168.2.33 to 192.168.2.126

  13: unset interface wireless0/0 dhcp server config next-server-ip

  14: set ssid WLAN interface wireless0

1 –> sets the interface wireless0/0 in Trust Zone.

2 –> sets the IP address on the wireless interface.

3 –> sets the wireless interface mode to nat.

4 –> sets the wireless interface manageable (ping/ssh/web etc).

5 –> tells the dhcp server service to be ON on wireless interface.

6 to 13 –> sets the different network IP parameters to be used by DHCP Server service.

14 –> defines the SSID to which the users should connect.

Note that this hasn’t specified any wireless encryption part here. This is intended to be a simple post.

Thought of putting down some of the basic things that needs to be done on Juniper Router, may it be M/MX/T/J-series in order for that to be connected and accessible on the network. So if we divide the tasks;

1. The first one is the rack it up, connecting the cables and power it up.

2. Then login to the router using the console port of the router (usually in the front).

3. Juniper Router does provide you the Management interface to be either a specific management port or a general port on it. Wouldn’t go into the details of it

4. Setup the IP address for the Management port.

5. Enable the needed access from network to the box itself.

After these steps, you essentially have the router up and running on the router, on which you can do your necessary configuration. I intend to cover them later across multiple posts.

So now to action; 1 & 2 is fairly straight forward and lets look at 3;

The Management Port is usually “fxp0” on the router – Specific Management Port (Out-Of-Band Management)

Or you can use one of your normal ports like “ge0/0/0” for the Management (In-Band Management).

First part is to assign an IP address to the management port:-

   1: root@PE3-MX480% cli

   2:  

   3: root@PE3-MX480> configure 

   4: [edit]

   5: root@PE3-MX480# set interfaces fxp0 unit 0 family inet address 192.168.1.1/24

   6:  

Enabling Remote Access:- There are different protocols available, mainly SSH/Telnet/HTTP

So to enable these protocols on the management interface; follow this;

   1: set system services ssh

   2:  

   3: set system services ssh root-login allow

   4: set system services ssh protocol-version v1

   5: set system services ssh protocol-version v2

   6:  

   7: set system services telnet

   9:  

  10: set system services web-management http

As you can see, all SSH/Telnet and HTTP access is enabled and also you can see how to enable root login via SSH (By default not allowed).

After you configure all these, you have the access to this box via these protocols from the local network. You can verify it by issuing the command;

root@PE3-MX480> show configuration | display set

OR

root@PE3-MX480> show configuration (this should show the configuration in a C like syntax styled fashion)

   One of the best part about Microsoft and Cisco are not just the

products but supporting documentation as well, it is vast and a lot of configuration examples with actual configuration samples.

If you want to load something on to a brand new Cisco device, just Google and just Copy&Paste would take care of minimal configuration and just modification would bring it up in minutes.

Unfortunately the problem with Juniper Documentation is that they can’t match that much of the results from other vendors. For example if I have to learn about NSRP knowledge base and if you just type ‘nsrp’ onto Google, you’ll get a max of 3 or 4 search results that are relevant and even if you get it, it’ll be the basic ‘how to configure kind of stuff’. On the other hand, if you use Google’s advanced searching mechanism, you’ll get much better results on the subject you’re searching. For example;

nsrp site:kb.juniper.net

The above search would yield only the results from Juniper KB site and would have a wide variety of information lined up for you to dig on.

While this is the true for all vendor’s documentation, I just wanted to emphasize the usage of ‘kb.juniper.net’ instead of ‘www.juniper.net’, because there is a difference

  Based off the Glassdoor.com surveys from the employee’s themselves of each company, Juniper Networks’ ranks the first!

Got this snippet from { Here }

  One difference about glassdoor compared to all other predictions is that these are derived by anonymous input’s from the respective organizations itself.

There is a good comparison chart available between these 2 firewalls

{ Click Here to get it }

Though it is a comparison with FG – 224B, you can pretty much see the plus points that comes with Juniper SSG series of Firewalls.

      2009 Information Security/SearchSecurity.com Readers’ Choice awards are announced and guess what; Juniper Won the best security solution awards in the following categories;

• Intrusion Prevention:   Gold Award   : Juniper IDP Series
• NAC                            :   Gold Award   : Juniper Networks Unified Access Control
• Remote Access       :    Silver Award : Juniper Networks SA Series SSL VPN Appliances

Last year Juniper was named a finalist in five categories and won an award in each category, including Authentication, NAC, Network Firewalls, Remote Access and UTM. Juniper SSG, ISG and SA SSL VPN won Gold awards.  UAC won a Silver award. Juniper Steel-Belted Radius, NetScreen and SSG won Bronze awards.

Way to go Juniper! If you look at Juniper’s Security Market/Products, the solutions have been there in the market only for a few years now, but still they made through and take on the long-timers now!

The latest information on Juniper’s success in diversified segments of market is the ‘Ethernet Platforms’.  Despite the recession;

Quarter over Quarter, pretty steady growth and as per Mike Banic, VP at Juniper Networks for Product Marketing “Based on the companies covered in the Dell’Oro report, over the past five quarters of revenue shipments, Juniper has grown its EX Series switch revenue faster than any enterprise Layer 2/Layer 3 switch vendor entering the market in the previous decade,”

Full News at Yahoo

Some interesting facts if we look back, Juniper had a wide variety of products and what was lacking in the portfolio was a ‘complete solution’, the switches. I used to wonder why haven’t they started a BU around this and based on the reputation and more importantly people like choices – it would only seem imperative that they need to have done this couple of years back and of course it would be a huge investment, can’t discount for that.

Instead of a vendor setting standards and price tags, a customer always would prefer a choice of vendors where he get to make the calls!

Great going Juniper…

At this point, something of strange nature is that the EVP of Ethernet Platforms Group at Juniper, Hitesh Sheth – moved over to Aruba to take a position of COO. This would be the first position at Aruba, a COO!

Full News at bizjournals

I think it is not of much attention that there are many e-Learning courses available from Juniper FREE of cost. Mostly it is either advised by SE’s or some product road shows. Otherwise, Juniper lacks the publicity that Cisco and MSFT has been carrying over for a long period on eLearning.

So to let people know, Juniper does offer some eLearning programs on Enterprise Routing, Enterprise Switching, Security etc.

Also one of the interesting training would be the Intrusion Prevention training which can be accessed here. [Click]

Click on the picture above to check out all the available courses.