Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - sighup9

Pages: [1]
1
DX, WX, and WXC platforms / Any comments on 5.4.1 code?
« on: October 18, 2006, 08:34:21 pm »
I recently purchased 2 WX-20's and was wondering if anyone is running 5.4.1 or not. It looks as though there are quite a lot of new features and I'm thinking it might be better to deploy 5.2.5 for now. Any thoughts are greatly appreciated.

2
Routers / Capturing data for later use if a router goes down
« on: October 11, 2006, 11:53:40 am »
I thought others might benefit from someone describing what to capture if a router goes down, in the event you need to contact JTAC later or conduct your own post mortem:

From a workstation terminal session, enable logging to disk and enter the following router commands:
show interface extensive  (for each interface involved)
show log messages
show log chassisd
request support information |no-more

document any configuration or hardware changes just prior to the event
document/capture any snmp management information such as traffic patterns.

3
Routers / Locking down an Internet router and filtering known garbage
« on: October 05, 2006, 04:18:23 am »
For the benefit of anyone who is interested, here's an idea of how to lock down an Internet router and discard known inbound garbage. Be careful deploying filters on a production router - one false move and you can clobber "good" traffic. Standard disclaimer - this is for informational purposes, use at your own risk, caveat emptor, etc... If I see this verbatim in a book with no notification, you better keep a close watch on the smoke gates in your computer equipment, car, home, etc. ;)

Juniper has an overview at http://www.juniper.net/solutions/literature/app_note/350013.pdf#search=%22juniper%20router%20prefix%20list%22

Lets assume you:
 Have a T-1 connection to the Internet with serial IP address 1.1.1.1
 Have a routable Ethernet address 2.2.2.2
 Want to filter out bogon/martian address blocks (see http://www.cymru.com/Documents/bogon-list.html for more info.)
  Note: I use a subset of the above.
 Want to block snmp attempts inbound to your serial interface.
 Want to be able to manage the router unencumbered from your LAN.
 Want to block external access except from one specific Internet address 5.5.5.5 (terms below are noxmgmt and xmgmt respectively).

If you are worried about overhead, I have more terms than those listed below. CPU utilization on my J4300 with 2xT1-s MLPPP historically for the last year doesn't exceed 5% for the most part (I monitor it via MRTG).
 

First, your serial config - the line worth noting is input 125- that tells the router to apply firewall filter inbound on the serial interface. It is also wise to put the circuit ID in the description!

    t1-1/0/0 {
        unit 0 {
            description "CircuitID xxxxxxxxx";
            encapsulation ppp;
            family inet {
                filter {
                    input 125;
                }
                address 1.1.1.1/32 {
                    destination x.x.x.x;
                }
            }
        }
    }           
 

Second, a summary of how it works:

 All the terms up to nosnmp (see below) block various known baddies and bogons/martian addresses.
 The terms beyond that discard management attempts other than ssh from 5.5.5.5
 Keep in mind, this applies only to inbound traffic on your serial interface so router access from your LAN will not be affected.
 I use counting so that I can get a quick summary of what terms show activity. Here's what it looks like:

Mondo_Inet> show firewall filter 125 
Filter: 125                                                   
Counters:
Name                                                Bytes              Packets
blaster                                           4076720                84540
slammer                                           5271140                13053
rpcmapper                                               0                    0
cifs                                                   80                    2
0.0.0.0/7                                               0                    0
2.0.0.0/8                                               0                    0
5.0.0.0/8                                               0                    0
7.0.0.0/8                                               0                    0
10.0.0.0/8                                          13620                   33
23.0.0.0/8                                              0                    0
27.0.0.0/8                                              0                    0
31.0.0.0/8                                              0                    0
36.0.0.0/7                                              0                    0
39.0.0.0/8                                              0                    0
42.0.0.0/8                                              0                    0
49.0.0.0/8                                              0                    0
50.0.0.0/8                                              0                    0
92.0.0.0/6                                              0                    0
169.254.0.0/16                                          0                    0
172.16.0.0/12                                         112                    2
173.0.0.0/8                                             0                    0
174.0.0.0/7                                             0                    0
176.0.0.0/5                                             0                    0
184.0.0.0/6                                             0                    0
192.0.2.0/24                                            0                    0
192.168.0.0/16                                         56                    1
197.0.0.0/8                                             0                    0
198.0.0.0/15                                            0                    0
223.0.0.0/8                                             0                    0
224.0.0.0/3                                             0                    0
antispoof                                               0                    0
nosnmp                                                  0                    0
noxmgmt                                              6172                  121


Finally, the filter:

firewall {
    family inet {   
        filter 125 {
            term slammer {
                from {
                    protocol udp;
                    destination-port 1434-1435;
                }
                then {
                    count slammer;
                    reject;
                }
            }
            term blaster {
                from {
                    protocol [ udp tcp ];
                    destination-port [ 69 135 139 445 4444 ];
                }
                then {
                    count blaster;
                    reject;
                }
            }
            term CIFS {
                from {
                    protocol tcp;
                    port 445;
                }
                then {
                    count cifs;
                    discard;
                }
            }
            term RPCmapper {
                from {
                    protocol tcp;
                    port 593;
                }
                then {
                    count rpcmapper;
                    discard;
                }
            }
            term 0.0.0.0/7 {
                from {
                    source-address {
                        0.0.0.0/7;
                    }
                }
                then {
                    count 0.0.0.0/7;
                    discard;
                }
            }
            term 2.0.0.0/8 {
                from {
                    source-address {
                        2.0.0.0/8;
                    }
                }
                then {
                    count 2.0.0.0/8;
                    discard;
                }
            }
            term 5.0.0.0/8 {
                from {
                    source-address {
                        5.0.0.0/8;
                    }
                }   
                then {
                    count 5.0.0.0/8;
                    discard;
                }
            }
            term 7.0.0.0/8 {
                from {
                    source-address {
                        7.0.0.0/8;
                    }
                }
                then {
                    count 7.0.0.0/8;
                    discard;
                }
            }
            term 10.0.0.0/8 {
                from {
                    source-address {
                        10.0.0.0/8;
                    }
                }
                then {
                    count 10.0.0.0/8;
                    discard;
                }
            }
            term 23.0.0.0/8 {
                from {
                    source-address {
                        23.0.0.0/8;
                    }
                }
                then {
                    count 23.0.0.0/8;
                    discard;
                }
            }
            term 27.0.0.0/8 {
                from {
                    source-address {
                        27.0.0.0/8;
                    }
                }
                then {
                    count 27.0.0.0/8;
                    discard;
                }
            }
            term 31.0.0.0/8 {
                from {
                    source-address {
                        31.0.0.0/8;
                    }
                }
                then {
                    count 31.0.0.0/8;
                    discard;
                }
            }
            term 36.0.0.0/7 {
                from {
                    source-address {
                        36.0.0.0/7;
                    }
                }
                then {
                    count 36.0.0.0/7;
                    discard;
                }
            }
            term 39.0.0.0/8 {
                from {
                    source-address {
                        39.0.0.0/8;
                    }
                }
                then {
                    count 39.0.0.0/8;
                    discard;
                }
            }
            term 42.0.0.0/8 {
                from {
                    source-address {
                        42.0.0.0/8;
                    }
                }
                then {
                    count 42.0.0.0/8;
                    discard;
                }   
            }
            term 49.0.0.0/8 {
                from {
                    source-address {
                        49.0.0.0/8;
                    }
                }
                then {
                    count 49.0.0.0/8;
                    discard;
                }
            }
            term 50.0.0.0/8 {
                from {
                    source-address {
                        50.0.0.0/8;
                    }
                }
                then {
                    count 50.0.0.0/8;
                    discard;
                }
            }       
            term 92.0.0.0/6 {
                from {
                    source-address {
                        92.0.0.0/6;
                    }
                }
                then {
                    count 92.0.0.0/6;
                    discard;
                }
            }
            term 169.254.0.0/16 {
                from {
                    source-address {
                        169.254.0.0/16;
                    }
                }
                then {
                    count 169.254.0.0/16;
                    discard;
                }
            }
            term 172.16.0.0/12 {
                from {
                    source-address {
                        172.16.0.0/12;
                    }
                }
                then {
                    count 172.16.0.0/12;
                    discard;
                }
            }
            term 173.0.0.0/8 {
                from {
                    source-address {
                        173.0.0.0/8;
                    }
                }
                then {
                    count 173.0.0.0/8;
                    discard;
                }
            }
            term 174.0.0.0/7 {
                from {
                    source-address {
                        174.0.0.0/7;
                    }
                }
                then {
                    count 174.0.0.0/7;
                    discard;
                }
            }
            term 176.0.0.0/5 {
                from {
                    source-address {
                        176.0.0.0/5;
                    }
                }
                then {
                    count 176.0.0.0/5;
                    discard;
                }
            }
            term 184.0.0.0/6 {
                from {
                    source-address {
                        184.0.0.0/6;
                    }
                }
                then {
                    count 184.0.0.0/6;
                    discard;
                }
            }
            term 190.0.0.0/8 {
                from {
                    source-address {
                        190.0.0.0/8;
                    }
                }
            }
            term 192.0.2.0/24 {
                from {
                    source-address {
                        192.0.2.0/24;
                    }
                }
                then {
                    count 192.0.2.0/24;
                    discard;
                }
            }
            term 192.168.0.0/16 {
                from {
                    source-address {
                        192.168.0.0/16;
                    }
                }
                then {
                    count 192.168.0.0/16;
                    discard;
                }
            }
            term 197.0.0.0/8 {
                from {
                    source-address {
                        197.0.0.0/8;
                    }
                }
                then {
                    count 197.0.0.0/8;
                    discard;
                }
            }
            term 198.0.0.0/15 {
                from {
                    source-address {
                        198.0.0.0/15;
                    }
                }
                then {
                    count 198.0.0.0/15;
                    discard;
                }
            }
            term 223.0.0.0/8 {
                from {
                    source-address {
                        223.0.0.0/8;
                    }
                }
                then {
                    count 223.0.0.0/8;
                    discard;
                }   
            }
            term 224.0.0.0/3 {
                from {
                    source-address {
                        224.0.0.0/3;
                    }
                }
                then {
                    count 224.0.0.0/3;
                    discard;
                }
            }
            term antispoof {
                from {
                    source-address {
                        127.0.0.0/8;
                        240.0.0.0/4;
                        0.0.0.0/32;
                    }
                    protocol icmp;
                    icmp-type redirect;
                }
                then {
                    count antispoof;
                    discard;
                }
            }
            term nosnmp {
                from {
                    protocol udp;
                    destination-port [ snmp snmptrap ];
                }
                then {
                    count nosnmp;
                    discard;
                }
            }
            term xmgmt {
                from {
                    source-address {
                        5.5.5.5/32;
                    }
                    protocol tcp;
                    destination-port 22;
                }
                then {
                    syslog;
                    accept;
                }
            }
            term noxmgmt {
                from {
                    destination-address {
                        2.2.2.2/32;
                        1.1.1.1/32;
                    }
                    protocol tcp;
                    destination-port [ 22-23 80 443 ];
                }
                then {
                    count noxmgmt;
                    discard;
                }
            }
            term accept-all {
                then {
                    log;
                    accept;
                }   
            }
        }
    }



4
I decided to give SunRocket VOIP a try and had to do a little tweaking to get their "gizmo" VOIP device working properly behind my NS-5GT.

When I initially set it up, I could not make calls in or out.

I created a new policy from the internal IP of the "gizmo" device to SunRocket's IP block according to ARIN WHOIS (67.133.234.0/24) with NAT source translation enabled.

set policy id 29 from "Trust" to "Untrust"  "192.168.0.76/32" "67.133.234.0/24" "SIP" nat src permit log count traffic

After which I was able to make outbound VOIP calls however voice UDP wasn't working properly (I could talk on VOIP side and hear on landline side but not vice versa).

Looked to be a port forwarding issue from sunrocket to my NATed "gizmo" device so:

I created a VIP (on my untrust semi-static IP) to the internal IP of the "gizmo" for SIP traffic:

Note: I had to create a custom service for SIP (UDP 5060) because the keyword "SIP" was not a valid option (got error message "Not supported VIP services" from ScreenOS CLI). Then I created the VIP...

set service "sunrocket5060" protocol udp src-port 1025-65535 dst-port 5060-5060
set interface untrust vip untrust 5060 "sunrocket5060" 192.168.0.76

I created two custom services as follows:
 
set service "Sunrocket16385" protocol udp src-port 1025-65535 dst-port 16385-16385
set service "Sunrocket5200" protocol udp src-port 1025-65535 dst-port 5200-5200

Then added both to policy id 29 from "Trust" to "Untrust":

set policy id 29
set service "Sunrocket16385"
set service "Sunrocket5200"

Everything works like a champ now...

5
FYI 5.3R1 code is out and I put it into production on an SA 1005b (now considered SA 2000) last Friday evening. No major issues (5.2 code ran fine for my shop as well). I've got a few Pocket PC users and none have complained thus far.

We use Web access, and WSAM exclusively for SSH and other port forwarding including Provision Networks (much better solution than Citrix for those who haven't plunked down the loot they charge) and I'm contemplating moving some towards network connect.

6
Routers / MLPPP on J-Series routers
« on: March 07, 2006, 09:01:53 pm »
In case anyone is messing with multilink PPP on a J-Series, the setup is slightly different than what is in M/T Series support docs (I didn't find any J-Series MLPPP info on the Juniper Web site). Overall I've been happy running 2xT1 Internet on a J4300.

I did it as follows:

set system interfaces ls-0/0/0 unit 0 encap multilink-ppp family inet address x.x.x.x/32 destination y.y.y.y
set system interfaces t1-1/0/0 unit 0 encap ppp family mlppp bundle ls-0/0/0.0
set system interfaces t1-1/0/1 unit 0 encap ppp family mlppp bundle ls-0/0/0.0

The config shows as:

ls-0/0/0 {
    unit 0 {
        encapsulation multilink-ppp;
        family inet {
            address x.x.x.x/32  {
                destination y.y.y.y;
            }
        }
    }
}
t1-1/0/0 {
    encapsulation ppp;
    unit 0 {
        family mlppp {
            bundle ls-0/0/0.0;
        }
    }
}
t1-1/0/1 {
    encapsulation ppp;
    unit 0 {
        family mlppp {
            bundle ls-0/0/0.0;
        }
    }
}

7
Greetings,

I just deployed IVE 5.2 in production and wondered what others have experienced with the new advanced endpoint security options. When I saw that Symantec acquired Whole Security, I thought it was all over for the "confidence online lite session protection" integration for the IVE. It looks as though the relationship will continue and hopefully Symantec will not brain damage the Whole Security product. :wink:

I've enabled connection control policy for user WSAM sessions and haven't received any complaints. I'm testing the malware protection and so far find it cooperates well with Windows XP.

I also have some users who want to access the VPN from a Pocket PC device on the road sometimes and otherwise use a PC desktop or laptop from home. I'm in the process of figuring out how to define a policy for either case (no host checker or cache cleaner for PPC and full host checking for PC clients).

Any comments/suggestions are greatly appreciated.

8
Suggestions/Feedback / Separate forum for JUNOS router posts
« on: October 30, 2005, 01:50:01 pm »
I'm deploying Juniper routers (in addition to firewall and SSL VPN boxes from them). I thought it might be nice to post some J-Series router stuff for the benefit of others. Instead of posting it in the general or routing forums, I was thinking it might be nice to have a separate place for router related posts.

Whaddya think?

9
During last week, I noticed significant traffic from a LAN host attempting to send out data to 169.254.46.82 port 82. This is a "bogon" address that should never see the light of day. While this sort of thing should not happen on a host with enterprise anti-virus and anti-spyware installed... it did (I've isloated the host to check out what's cooking on there).

With a lot of explaining to support, I cooked up a good way to effectively block bogons (Trust Zone Screen Source IP Based Session Limit is not adequate for my setup because we have semi-frequent communications that exceed the default 128 sessions by a good bit).

What I suggest below works fine on a 5 GT 201 (didn't spike CPU or memory) and I'm planning to deploy it on a 204 next week. I claim no responsibility if it trashes or hogs exhorbitant CPU/resources on anyone's firewall.

You can route each bogon block to the null interface using syntax such as: set route 169.254.0.0/16 interface null

The problem with doing it this way is you have to run debug to see if there is any activity. Another suggestion was to create an address group with associated policy blocking them, however the max number of entries in a group is limited to 32. Here's what I did:

Note: entries below came from http://www.cymru.com/Documents/secure-ios-template.html. The following is from version 4.1 30 Jun 2005 and you should periodically monitor it for changes if you decide to implement this stuff.

Pasted from CLI:
set address untrust bogon1 1.0.0.0 255.0.0.0
set address untrust bogon2 2.0.0.0 255.0.0.0
set address untrust bogon5 5.0.0.0 255.0.0.0
set address untrust bogon7 7.0.0.0 255.0.0.0
set address untrust bogon10 10.0.0.0 255.0.0.0
set address untrust bogon23 23.0.0.0 255.0.0.0
set address untrust bogon27 27.0.0.0 255.0.0.0
set address untrust bogon31 31.0.0.0 255.0.0.0
set address untrust bogon36 36.0.0.0 255.0.0.0
set address untrust bogon37 37.0.0.0 255.0.0.0
set address untrust bogon39 39.0.0.0 255.0.0.0
set address untrust bogon42 42.0.0.0 255.0.0.0
set address untrust bogon49 49.0.0.0 255.0.0.0
set address untrust bogon50 50.0.0.0 255.0.0.0
set address untrust bogon77 77.0.0.0 255.0.0.0
set address untrust bogon78 78.0.0.0 255.0.0.0
set address untrust bogon79 79.0.0.0 255.0.0.0
set address untrust bogon92 92.0.0.0 255.0.0.0
set address untrust bogon93 93.0.0.0 255.0.0.0
set address untrust bogon94 94.0.0.0 255.0.0.0
set address untrust bogon95 95.0.0.0 255.0.0.0
set address untrust bogon96 96.0.0.0 255.0.0.0
set address untrust bogon97 97.0.0.0 255.0.0.0
set address untrust bogon98 98.0.0.0 255.0.0.0
set address untrust bogon99 99.0.0.0 255.0.0.0
set address untrust bogon100 100.0.0.0 255.0.0.0
set address untrust bogon101 101.0.0.0 255.0.0.0
set address untrust bogon102 102.0.0.0 255.0.0.0
set address untrust bogon103 103.0.0.0 255.0.0.0
set address untrust bogon104 104.0.0.0 255.0.0.0
set address untrust bogon105 105.0.0.0 255.0.0.0
set address untrust bogon106 106.0.0.0 255.0.0.0
set address untrust bogon107 107.0.0.0 255.0.0.0
set address untrust bogon108 108.0.0.0 255.0.0.0
set address untrust bogon109 109.0.0.0 255.0.0.0
set address untrust bogon110 110.0.0.0 255.0.0.0
set address untrust bogon111 111.0.0.0 255.0.0.0
set address untrust bogon112 112.0.0.0 255.0.0.0
set address untrust bogon113 113.0.0.0 255.0.0.0
set address untrust bogon114 114.0.0.0 255.0.0.0
set address untrust bogon115 115.0.0.0 255.0.0.0
set address untrust bogon116 116.0.0.0 255.0.0.0
set address untrust bogon117 117.0.0.0 255.0.0.0
set address untrust bogon118 118.0.0.0 255.0.0.0
set address untrust bogon119 119.0.0.0 255.0.0.0
set address untrust bogon120 120.0.0.0 255.0.0.0
set address untrust bogon121 121.0.0.0 255.0.0.0
set address untrust bogon122 122.0.0.0 255.0.0.0
set address untrust bogon123 123.0.0.0 255.0.0.0
set address untrust bogon127 127.0.0.0 255.0.0.0
set address untrust bogon169 169.254.0.0 255.255.0.0
set address untrust bogon172 172.16.0.0 255.240.0.0
set address untrust bogon173 173.0.0.0 255.0.0.0
set address untrust bogon174 174.0.0.0 255.0.0.0
set address untrust bogon175 175.0.0.0 255.0.0.0
set address untrust bogon176 176.0.0.0 255.0.0.0
set address untrust bogon177 177.0.0.0 255.0.0.0
set address untrust bogon178 178.0.0.0 255.0.0.0
set address untrust bogon179 179.0.0.0 255.0.0.0
set address untrust bogon180 180.0.0.0 255.0.0.0
set address untrust bogon181 181.0.0.0 255.0.0.0
set address untrust bogon182 182.0.0.0 255.0.0.0
set address untrust bogon183 183.0.0.0 255.0.0.0
set address untrust bogon184 184.0.0.0 255.0.0.0
set address untrust bogon185 185.0.0.0 255.0.0.0
set address untrust bogon186 186.0.0.0 255.0.0.0
set address untrust bogon187 187.0.0.0 255.0.0.0
set address untrust bogon192a 192.0.2.0 255.255.255.0
set address untrust bogon192b 192.168.0.0 255.255.0.0
set address untrust bogon197 197.0.0.0 255.0.0.0
set address untrust bogon223 223.0.0.0 255.0.0.0

From Web interface: created 3 address groups in untrust  
   address group bogon1-99 (selected bogon1-99; 25 entries)
   address group bogon100-120 (selected bogon100 -120; 20 entries)
   address group bogon121plus (selected bogon121...; 25 entries)

Created policy from trust to untrust denying above address groups and enabled logging.

10
Opening for a mid level network engineer in Rockville, MD USA
Super friendly / laid back work environment; 100's of users in a single site.

Seeking someone with a mix of skills:

2 years enterprise networking experience.
Excellent communication skills and positive attitude  (< 1/4 of your time will be spent providing support escalated/assigned by help desk manager.
Willingness to assist with more mundane tasks in addition to individual and group projects.
Java servlet server knowledge (IIS/JRun & Apache/Tomcat) is a plus.
Knowledge of load balancing is a plus (F5 BigIPs or other).
Windows 2000/2003 server experience.
Juniper firewall, routing and SSL VPN experience.
Security experience is a plus.
NetWare 4+ experience is a plus.
Linux experience is a plus.
Colocation and multi-homed Internet experience is a plus.

11
NetScreen and SSG/ISG Series Firewalls / Comments on ScreenOS 5.2.0r1
« on: June 05, 2005, 11:12:29 am »
Greetings,

I upgraded my 5GT-201 at home to 5.2.0r1 ~3 weeks ago and it appears to be quite stable (I was running ns5gt.5.1.0r3a.0 before that).

I have a 204 in production at work and wondered if anyone else had any comments about 5.2 code stability before I upgrade in a week or so.

Pages: [1]