Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - sighup9

Pages: [1] 2 3
1
NetScreen and SSG/ISG Series Firewalls / Re: VPN SSG5
« on: August 08, 2007, 06:25:18 am »
Is there a way to also have port 1723 forwarded to an internal server so current users can still use that while I migrate everyone over? I tried setting that port up but its not in the list of services to use. I'm assuming its reserved.
Thanks
Phil

You can try creating a custom service and see what happens. In the policy, set the application to Ignore rather than the default None as well.

I've successfully done similar with SIP because it is not listed as a VIP service and this approach works fine for my VOIP phone.

2
NetScreen and SSG/ISG Series Firewalls / Re: SSG5 and IP Phone System
« on: July 31, 2007, 06:26:15 am »
Greetings,

I've got a similar setup and have ~12 IP phones connecting from the Internet (some halfway across the world; all work exceptionally well) to an Inter-Tel PBX with IPRC card. I setup a MIP to the IPRC and segmented the VOIP traffic on a separate internal VLAN. I've pasted the configs I use on the corp firewall and 5GT remote firewall so you can get an idea... let me know if you have any questions.

VOIP PBX/IPRC side NS-204 firewall config:

set service "Inter-Tel inbound IPRC" protocol udp src-port 1025-65535 dst-port 5004-5006
set service "Inter-Tel inbound IPRC" + udp src-port 1025-65535 dst-port 5567-5567
set service "Inter-Tel inbound IPRC" + tcp src-port 1025-65535 dst-port 5566-5566
set service "Inter-Tel outbound IPRC" protocol udp src-port 5004-5004 dst-port 1025-65535
set interface "ethernet3" mip x.x.x.x (external mapped IP address) host y.y.y.y (internal IPRC IP address) netmask 255.255.255.255 vr "trust-vr"

set policy id 75 from "Untrust" to "Trust"  "Any" "MIP(x.x.x.x)" "Inter-Tel inbound IPRC" permit
set policy id 75
exit

set policy id 69 from "Trust" to "Untrust"  "y.y.y.y/32" "Any" "Inter-Tel outbound IPRC" permit log
set policy id 69
set service "Inter-Tel remote IPRC"
exit




VOIP client side NS-5GT firewall config (I created QOS for it as well in the policy):

set service "Inter-Tel IP phone" protocol udp src-port 5004-5006 dst-port 5000-5034
set service "Inter-Tel IP phone" + udp src-port 5567-5567 dst-port 5567-5567
set service "Inter-Tel IP phone" + tcp src-port 1025-65535 dst-port 5566-5566

set policy id 20 from "Trust" to "Untrust"  "192.168.0.0/24" "65.125.12.220/32" "Inter-Tel IP phone" permit log traffic gbw 48 mbw 96

3
I am working with a customer who is looking at collapsing 5 Checkpoint firewalls into a pair of 520s...  Any one heard of this tool?  Any one use it?

Thanks

Greetings, I recommend you start from scratch. I migrated from ChuckPoint a couple years ago to two NS-204's. Since I am familiar with many firewall products, it did not take long to grasp the differences between CheckPoint and NS terminology. Once I had that down, I setup a 204 in parallel, tested the new policies for a few weeks, set test users on the new default gateway and eventually migrated eveyone in ~45 days total.

Feel free to ask specific questions if you have any regarding migration.


4
NetScreen and SSG/ISG Series Firewalls / Re: log : reason : close AGE OUT
« on: February 27, 2007, 11:38:42 am »
Yes AGE OUT means 1 of 2 things:

Either the connection was set up properly and went inactive for a period of time (this length of time depends on the service & configuration. )

Or the connection was half open (if you have tcp syn checking enabled) and the firewall never saw a completed tcp connection.


Another situation where I've seen Age Out is when a policy for a NATed zone (other than trust zone) does not have source translation defined.

5
NetScreen and SSG/ISG Series Firewalls / Re: High Memory Utilization
« on: February 26, 2007, 01:50:22 pm »
When I got in touch with the JTAC they advised me to downgrade the firmware to 5.3.0r6.

5.4 does not use much more RAM. I upgraded a 204 back in August from5.3.0r3.0 to 5.4.0r1.0 (it's been running since then no problem). I have slightly less than 100 policies.

                         Allocated   Left

Before upgrade         67736KB   27290KB

Post upgrade:
9:27 PM Aug 11th      69014      20356
10:10 AM Aug 12th      68710      20660
7:00 AM Aug 14th      68708      20662
Feb 26,    2007         70177      19193

6
NetScreen and SSG/ISG Series Firewalls / Re: ScreenOS 5.4.0r3
« on: February 10, 2007, 09:13:30 am »
It is available now...

I installed it on a 5GT-201 at home and all is well. MRTG stats work properly (they did not in 5.4.0r2). I was running 5.4.0r1 since it came out.

I'm planning upgrading a semi-production NS-204 at a hosting facility in the coming weeks.

7
5.3 is working great with my Intel MacBook, mostly.  Network Connect works, but Secure Meetings do not.

The non-universal RDP client does suck.  But you can always install rdesktop.


I'm running 5.3R3 (11159) and PPC Macs work great with NC terminal service access. With Intel Macs there's like a 1 min delay before the remote desktop appears after launching a TS client on the Mac. As for an RDP client, I highly recommend cocoa remote desktop client (CoRD) which is a universal binary http://www.versiontracker.com/dyn/moreinfo/macosx/30808

8
NetScreen and SSG/ISG Series Firewalls / Re: 5.3.0r6.0 released
« on: December 11, 2006, 09:01:29 am »
I'm using 204's. I've tried everything I can think of but I am still getting the error. If anyone has any idea's I'm all ears.. SSH was working before the upgrade..

Are you attempting to login with the admin account? If so, create another account with RW privileges and then try ssh with that login.

9
Routers / Re: Back-to- back connecttion between cisco and J2300
« on: December 03, 2006, 03:20:46 pm »
Hello,

It seems that cabling structure (even if the pinout is the same) between Cisco and Juniper.
I changed the back-to-back connect with a WAN simulation box and connect both router to it.
Now it works...

Bye

Hedi

A t-1 crossover cable should work fine. Were you using a Cisco console "roll" cable by chance? Those only work for 56k ports back to back.


10
Routers / Re: J series router comparison
« on: November 27, 2006, 05:56:17 pm »
Greetings,

According to Juniper's marketing literature:

                                                                    J6350           J4350
Forwarding                                                 1 Gbps        600 Mbps
3DES + SHA1 (Large Packets)                    500 Mbps    300 Mbps w/ hardware acceleration
                                                                                   30 Mbps w/o hardware acceleration

I didn't find information about J4300/J6300.

I selected J4300's over Cisco 2621's a couple years back for multi-link PPP because Cisco's routers had CPU problems and have not regretted moving to Juniper.

11
NetScreen and SSG/ISG Series Firewalls / Re: ScreenOS 5.4r2 is out
« on: November 01, 2006, 10:25:32 am »
i feel juniper should seriously look in the quality and testing of screenos before releasing it out in the market like cisco.

Hmm, wonder if they've hired software development people from ASCEND!!!!

 :evil:

12
DX, WX, and WXC platforms / Re: Any comments on 5.4.1 code?
« on: October 19, 2006, 02:55:13 am »
We just deployed 5.4.1 - no issues experienced yet, but it is probably still too early to tell.


Thanks for the info. I'm contemplating setting them up inline attached to the firewall trust interface. I'm testing with 5.4.1 and thinking of deploying 5.2.5 if any oddities arise or others say the new stuff is not quite ready for prime time. My VOIP setup uses very little bandwidth so I'm probably going to leave that out of the mix for now and focus on reducing significant traffic like SAN data replication going over a VPN tunnel to a hosting facility.

13
DX, WX, and WXC platforms / Any comments on 5.4.1 code?
« on: October 18, 2006, 08:34:21 pm »
I recently purchased 2 WX-20's and was wondering if anyone is running 5.4.1 or not. It looks as though there are quite a lot of new features and I'm thinking it might be better to deploy 5.2.5 for now. Any thoughts are greatly appreciated.

14
Routers / Re: Locking down an Internet router and filtering known garbage
« on: October 17, 2006, 05:24:39 am »
Cool sighup9 great tips thanks. :-D

NP - There's a lot of advantage in tightening up security on routers- just remember to do a show firewall filter xxx every once in a while to see which terms are getting hits (and when you need to troubleshoot access problems where some of the bogons might be end up legitimate / routable IPs in the future).

15
Just an FYI - with DI (inspection mode only) we were seeing packet drops causing connectivity problems.

Thanks for the info...

In general, I'm not sure how effective it is to deploy DI on Juniper/Netscreen firewalls. With it enabled for DNS from trust to untrust, I can still do things like tunnel SSH over port 53 back to a VIPed Linux box at home and do not observe any indications from the firewall that it detected suspicious traffic. I'm sure that some of what DI functionality on the firewall does is effective. However, if there are inconsisitencies such as what I've described, overall effectiveness may not be worth the risk/overhead and potential for "connectivity problems".


16
Hi, registering can be a bit funny sometimes - takes a while for it to filter through. I have needed to call US support before to get it to work.

But thats bye the bye as you dont have support unless there is an existing contract (there isn't) or its new (you get 3 months or so free). So if you want updates you will need to get a basic contract or 'find' a copy of the OS.

Netscreen use the model 'no pay=no updates' which is a bit rubbish really. Imagine if Microflop did that!

What model do you have there?

Agreed - Juniper's neanderthalic / draconian licensing is my only significant complaint with them compared to "all you can eat" Cisco software download availability merely by registering one device on any sort for maintenance. It is clear they are tring to squash the grey market but at the expense of their customers who have to jump through firing hoops to register a product. It would be a tremendous help if they would ease up on customers with 5+ registered devices or something like that!


17
Routers / Capturing data for later use if a router goes down
« on: October 11, 2006, 11:53:40 am »
I thought others might benefit from someone describing what to capture if a router goes down, in the event you need to contact JTAC later or conduct your own post mortem:

From a workstation terminal session, enable logging to disk and enter the following router commands:
show interface extensive  (for each interface involved)
show log messages
show log chassisd
request support information |no-more

document any configuration or hardware changes just prior to the event
document/capture any snmp management information such as traffic patterns.

18
NetScreen and SSG/ISG Series Firewalls / Re: Replt for DI
« on: October 10, 2006, 03:35:12 am »
Hi,

Yes there is some added delay in performance due to DI also an CPU utilization level of 40% is normal when DI is applied. If AV is applied in addition without keeping right timeout settings for SMTP,HTTP,POP3; then drop of traffic can also be seen.

Thanks,
Naveen.  :shock:

Just to update this a bit:

Still holds true for non-ASIC based firewalls. If I turn on DI for http from trust to untrust and download a multi-GB file via http (~800 KB/sec from cable Internet connection), the CPU of my 5GT-201 running 5.4.0r1.0 stays constant at 45%. Normal CPU usage is 2-5%

If I disable DI for http, it does not affect download performance so I guess that is a good thing considering it slams the CPU of the firewall.


19
Routers / Locking down an Internet router and filtering known garbage
« on: October 05, 2006, 04:18:23 am »
For the benefit of anyone who is interested, here's an idea of how to lock down an Internet router and discard known inbound garbage. Be careful deploying filters on a production router - one false move and you can clobber "good" traffic. Standard disclaimer - this is for informational purposes, use at your own risk, caveat emptor, etc... If I see this verbatim in a book with no notification, you better keep a close watch on the smoke gates in your computer equipment, car, home, etc. ;)

Juniper has an overview at http://www.juniper.net/solutions/literature/app_note/350013.pdf#search=%22juniper%20router%20prefix%20list%22

Lets assume you:
 Have a T-1 connection to the Internet with serial IP address 1.1.1.1
 Have a routable Ethernet address 2.2.2.2
 Want to filter out bogon/martian address blocks (see http://www.cymru.com/Documents/bogon-list.html for more info.)
  Note: I use a subset of the above.
 Want to block snmp attempts inbound to your serial interface.
 Want to be able to manage the router unencumbered from your LAN.
 Want to block external access except from one specific Internet address 5.5.5.5 (terms below are noxmgmt and xmgmt respectively).

If you are worried about overhead, I have more terms than those listed below. CPU utilization on my J4300 with 2xT1-s MLPPP historically for the last year doesn't exceed 5% for the most part (I monitor it via MRTG).
 

First, your serial config - the line worth noting is input 125- that tells the router to apply firewall filter inbound on the serial interface. It is also wise to put the circuit ID in the description!

    t1-1/0/0 {
        unit 0 {
            description "CircuitID xxxxxxxxx";
            encapsulation ppp;
            family inet {
                filter {
                    input 125;
                }
                address 1.1.1.1/32 {
                    destination x.x.x.x;
                }
            }
        }
    }           
 

Second, a summary of how it works:

 All the terms up to nosnmp (see below) block various known baddies and bogons/martian addresses.
 The terms beyond that discard management attempts other than ssh from 5.5.5.5
 Keep in mind, this applies only to inbound traffic on your serial interface so router access from your LAN will not be affected.
 I use counting so that I can get a quick summary of what terms show activity. Here's what it looks like:

Mondo_Inet> show firewall filter 125 
Filter: 125                                                   
Counters:
Name                                                Bytes              Packets
blaster                                           4076720                84540
slammer                                           5271140                13053
rpcmapper                                               0                    0
cifs                                                   80                    2
0.0.0.0/7                                               0                    0
2.0.0.0/8                                               0                    0
5.0.0.0/8                                               0                    0
7.0.0.0/8                                               0                    0
10.0.0.0/8                                          13620                   33
23.0.0.0/8                                              0                    0
27.0.0.0/8                                              0                    0
31.0.0.0/8                                              0                    0
36.0.0.0/7                                              0                    0
39.0.0.0/8                                              0                    0
42.0.0.0/8                                              0                    0
49.0.0.0/8                                              0                    0
50.0.0.0/8                                              0                    0
92.0.0.0/6                                              0                    0
169.254.0.0/16                                          0                    0
172.16.0.0/12                                         112                    2
173.0.0.0/8                                             0                    0
174.0.0.0/7                                             0                    0
176.0.0.0/5                                             0                    0
184.0.0.0/6                                             0                    0
192.0.2.0/24                                            0                    0
192.168.0.0/16                                         56                    1
197.0.0.0/8                                             0                    0
198.0.0.0/15                                            0                    0
223.0.0.0/8                                             0                    0
224.0.0.0/3                                             0                    0
antispoof                                               0                    0
nosnmp                                                  0                    0
noxmgmt                                              6172                  121


Finally, the filter:

firewall {
    family inet {   
        filter 125 {
            term slammer {
                from {
                    protocol udp;
                    destination-port 1434-1435;
                }
                then {
                    count slammer;
                    reject;
                }
            }
            term blaster {
                from {
                    protocol [ udp tcp ];
                    destination-port [ 69 135 139 445 4444 ];
                }
                then {
                    count blaster;
                    reject;
                }
            }
            term CIFS {
                from {
                    protocol tcp;
                    port 445;
                }
                then {
                    count cifs;
                    discard;
                }
            }
            term RPCmapper {
                from {
                    protocol tcp;
                    port 593;
                }
                then {
                    count rpcmapper;
                    discard;
                }
            }
            term 0.0.0.0/7 {
                from {
                    source-address {
                        0.0.0.0/7;
                    }
                }
                then {
                    count 0.0.0.0/7;
                    discard;
                }
            }
            term 2.0.0.0/8 {
                from {
                    source-address {
                        2.0.0.0/8;
                    }
                }
                then {
                    count 2.0.0.0/8;
                    discard;
                }
            }
            term 5.0.0.0/8 {
                from {
                    source-address {
                        5.0.0.0/8;
                    }
                }   
                then {
                    count 5.0.0.0/8;
                    discard;
                }
            }
            term 7.0.0.0/8 {
                from {
                    source-address {
                        7.0.0.0/8;
                    }
                }
                then {
                    count 7.0.0.0/8;
                    discard;
                }
            }
            term 10.0.0.0/8 {
                from {
                    source-address {
                        10.0.0.0/8;
                    }
                }
                then {
                    count 10.0.0.0/8;
                    discard;
                }
            }
            term 23.0.0.0/8 {
                from {
                    source-address {
                        23.0.0.0/8;
                    }
                }
                then {
                    count 23.0.0.0/8;
                    discard;
                }
            }
            term 27.0.0.0/8 {
                from {
                    source-address {
                        27.0.0.0/8;
                    }
                }
                then {
                    count 27.0.0.0/8;
                    discard;
                }
            }
            term 31.0.0.0/8 {
                from {
                    source-address {
                        31.0.0.0/8;
                    }
                }
                then {
                    count 31.0.0.0/8;
                    discard;
                }
            }
            term 36.0.0.0/7 {
                from {
                    source-address {
                        36.0.0.0/7;
                    }
                }
                then {
                    count 36.0.0.0/7;
                    discard;
                }
            }
            term 39.0.0.0/8 {
                from {
                    source-address {
                        39.0.0.0/8;
                    }
                }
                then {
                    count 39.0.0.0/8;
                    discard;
                }
            }
            term 42.0.0.0/8 {
                from {
                    source-address {
                        42.0.0.0/8;
                    }
                }
                then {
                    count 42.0.0.0/8;
                    discard;
                }   
            }
            term 49.0.0.0/8 {
                from {
                    source-address {
                        49.0.0.0/8;
                    }
                }
                then {
                    count 49.0.0.0/8;
                    discard;
                }
            }
            term 50.0.0.0/8 {
                from {
                    source-address {
                        50.0.0.0/8;
                    }
                }
                then {
                    count 50.0.0.0/8;
                    discard;
                }
            }       
            term 92.0.0.0/6 {
                from {
                    source-address {
                        92.0.0.0/6;
                    }
                }
                then {
                    count 92.0.0.0/6;
                    discard;
                }
            }
            term 169.254.0.0/16 {
                from {
                    source-address {
                        169.254.0.0/16;
                    }
                }
                then {
                    count 169.254.0.0/16;
                    discard;
                }
            }
            term 172.16.0.0/12 {
                from {
                    source-address {
                        172.16.0.0/12;
                    }
                }
                then {
                    count 172.16.0.0/12;
                    discard;
                }
            }
            term 173.0.0.0/8 {
                from {
                    source-address {
                        173.0.0.0/8;
                    }
                }
                then {
                    count 173.0.0.0/8;
                    discard;
                }
            }
            term 174.0.0.0/7 {
                from {
                    source-address {
                        174.0.0.0/7;
                    }
                }
                then {
                    count 174.0.0.0/7;
                    discard;
                }
            }
            term 176.0.0.0/5 {
                from {
                    source-address {
                        176.0.0.0/5;
                    }
                }
                then {
                    count 176.0.0.0/5;
                    discard;
                }
            }
            term 184.0.0.0/6 {
                from {
                    source-address {
                        184.0.0.0/6;
                    }
                }
                then {
                    count 184.0.0.0/6;
                    discard;
                }
            }
            term 190.0.0.0/8 {
                from {
                    source-address {
                        190.0.0.0/8;
                    }
                }
            }
            term 192.0.2.0/24 {
                from {
                    source-address {
                        192.0.2.0/24;
                    }
                }
                then {
                    count 192.0.2.0/24;
                    discard;
                }
            }
            term 192.168.0.0/16 {
                from {
                    source-address {
                        192.168.0.0/16;
                    }
                }
                then {
                    count 192.168.0.0/16;
                    discard;
                }
            }
            term 197.0.0.0/8 {
                from {
                    source-address {
                        197.0.0.0/8;
                    }
                }
                then {
                    count 197.0.0.0/8;
                    discard;
                }
            }
            term 198.0.0.0/15 {
                from {
                    source-address {
                        198.0.0.0/15;
                    }
                }
                then {
                    count 198.0.0.0/15;
                    discard;
                }
            }
            term 223.0.0.0/8 {
                from {
                    source-address {
                        223.0.0.0/8;
                    }
                }
                then {
                    count 223.0.0.0/8;
                    discard;
                }   
            }
            term 224.0.0.0/3 {
                from {
                    source-address {
                        224.0.0.0/3;
                    }
                }
                then {
                    count 224.0.0.0/3;
                    discard;
                }
            }
            term antispoof {
                from {
                    source-address {
                        127.0.0.0/8;
                        240.0.0.0/4;
                        0.0.0.0/32;
                    }
                    protocol icmp;
                    icmp-type redirect;
                }
                then {
                    count antispoof;
                    discard;
                }
            }
            term nosnmp {
                from {
                    protocol udp;
                    destination-port [ snmp snmptrap ];
                }
                then {
                    count nosnmp;
                    discard;
                }
            }
            term xmgmt {
                from {
                    source-address {
                        5.5.5.5/32;
                    }
                    protocol tcp;
                    destination-port 22;
                }
                then {
                    syslog;
                    accept;
                }
            }
            term noxmgmt {
                from {
                    destination-address {
                        2.2.2.2/32;
                        1.1.1.1/32;
                    }
                    protocol tcp;
                    destination-port [ 22-23 80 443 ];
                }
                then {
                    count noxmgmt;
                    discard;
                }
            }
            term accept-all {
                then {
                    log;
                    accept;
                }   
            }
        }
    }



20
Routers / Re: SSH - Help Request
« on: September 29, 2006, 06:00:14 am »
Greetings,

root login is most likely being denied. Setup an account with privileges to login, for example:

login {
user ralfh
class super-user
authentication {
encrypted-password "xxxxxxxxx"
}
}

Once you get that going, I can explain how to block unwanted access via JunOS firewall filter if you like...

Pages: [1] 2 3