Open EIGRP…Why Bother?

Posted by Senad on May 1, 2013
Posted in: Cisco. Leave a Comment

So Cisco apparently is releasing Open Standards based EIGRP.

Of course there is a catch…if you want certain functions (stub, areas, etc…) you have to go Cisco for said enhancements.

Anyways would love to hear what people think here.

Is another routing protocol worth it? How much effort do you think the industry will put into place to have things just work nicely?

Multiple Ports, Port-Mirror on Juniper MX80 going to a directly connected TAP port

Posted by Senad on December 28, 2012
Posted in: Juniper, Uncategorized. Tagged: . Leave a Comment

The Setup:

  • You have an MX80 with three ISP connections out to the internet.
  • Ports ge-1/0/0, ge-1/0/1, ge-1/0/2, and ge-1/0/3 all need to have their traffic mirrored
    • Bandwidth for all ports combined is 300 Mbps…so it will not be a problem with utilization another Gig Port to dump all data to
  • Port ge-1/0/4 is the port on the MX80 connecting directly to the Security Appliance
  • You have a security appliance with a TAP port configured to sniff all data transiting the MX 80
    • NO IP Address is assigned
    • You can obtain the MAC address which in this case is: 00:1b:17:37:17:24
MX80 Port Mirror(1)

The Problem:

On Cisco NX-OS it’s very simple to accomplish:
monitor session 1 

  source interface ge-1/0/0,ge-1/0/1,ge-1/0/2,ge-1/0/3 both
  destination interface ge-1/0/4
But…how do we achieve it on a Juniper MX80 Running Code that is applicable in the year 2012/2013?

The Solution:

Step #1: Setup the Port Forwarding
set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring input run-length 1
set forwarding-options port-mirroring family inet output interface ge-1/0/4.0 next-hop 1.1.1.2
set forwarding-options port-mirroring family inet output no-filter-check

Note: See Step #4 in terms of why we choose the next hop to be 1.1.12

Step #2: Setup a firewall to mirror the port traffic
set firewall family inet filter port-mirror term 1 then port-mirror
set firewall family inet filter port-mirror term 1 then accept
set firewall family inet filter port-mirror term 2 then accept

NOTE: If you have a filter applied to the interface it’s important that you put in the “then port-mirror” command on that filter.

Step #3: Map The Ports you want to mirror with the firewall filter

set interfaces ge-1/0/0 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/0 unit 0 family inet filter output port-mirror

set interfaces ge-1/0/1 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/1 unit 0 family inet filter output port-mirror


set interfaces ge-1/0/2 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/2 unit 0 family inet filter output port-mirror

set interfaces ge-1/0/3 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/3 unit 0 family inet filter output port-mirror
Step #4: Create a Private IP address and subnet range and map it to the dump port and create an ARP entry with another address to map the TAP port
 
set interfaces ge-1/0/4 unit 0 family inet address 1.1.1.1/30 arp 1.1.1.2 mac 00:1b:17:37:17:24
 
Notice: We are creating a fake IP address on ge-1/0/3 and giving it one particular address then we are creating an ARP entry with a completely different address in the same subset to map the TAP port for.

BYOD & Consumerization of the workplace: A progressive idea for the future

Posted by Senad on June 20, 2012
Posted in: Uncategorized. Leave a Comment

So recently the buzz around the cloud conventions, vendors, and corporations has been around the utilization of BYOD and user freedom.

The challenges many corporations claim is that it is a “security risk”.

I was on in agreement with this particular train of thought until I was recently hit with an epiphany: As much as IT hates the idea of losing control, consumerization of the workplace is happening and we either need to get on board or we will eventually be forced down that path.

We no longer live in a world that IT tells people what’s best for them; we now live in a world that the user is educated enough and tells IT what they want in order to get the job done in a more productive manner. The problem is is that IT needs to open its ears and start listening and providing the services. It is therefore my great honor to share an idea to the reader.

With people utilizing MDM solutions that sandbox mobile data, I will argue that, with time, will see a similar containerization/sandbox environment for Desktop/Laptop Operating Systems. One can argue that with the latest Mountain Lion and Windows 8 releases, we are coming ever closer the merger of Mobile OS to Desktop/Laptop OS Platforms.

The New Age Staff Member
Todays staff members looks at company time as “their own time”. They have played with cooler technologies than what the workplace can offer. They know exactly what they need to get the job done.

The new employee is not going to change so it’s easier for IT to accept the fact and work on coming to a solution that will allow for a more collaborative, productive, happy end staff member.

Enter the new BYOD:
So you ask…what is the new BYOD? It’s the ability to bring in any of their personal technologies (laptop, phone, etc…) that they deem an item that will make work better. Not just a mobile phone solution. While there are solutions that offer this in the mobile world via Mobile Device Mangers (MDM), they simply are too focused on mobile devices.Instead I will dub a new term called Corporate Device Manager (CDM) as a more comprehensive solution. One can think of it as VMWare but with less overhead and a much more secured approach. To give you an idea of a CDM see the image below:

Figure 1-1:

CDM(1)

Benefits giving users freedom and the ability to BYOD:

  • Higher Productivity
    • A user will always be more comfortable with their own devices
    • Less lock downs on the devices but maintain corporate data compartmentalized and freely wipable
  • Allowing staff members choice is a sure way to improve loyalty and happiness
  • Staff members will become more accessible
    • Will always carry around their own personal devices (even on vacation) over corporate devices
  • More focused security
    • Having a containerized sandbox in the users environment means that you no longer have to worry about the entire devices. Instead you can focus on all security technologies (DLP, etc…) running on only the sandboxed resource itself
  • Companies lower cost
    • If a company lets users purchase their own devices they have a cost saving
      • The company can also really make a bigger impact by paying a certain fee $1000 every x years out of their own pocket that allows users a choice
Security will always be a catch up game. As much as we block, intercept, etc…the end user will always, in the end, find a way to bypass it if corporate technology is not allowing them to do their job and in the end security will always be a reactionary follow up. A CDM will offer best of both worlds.
It is therefore my opinion to have a corporate policy that encourages CDM style BYOD and gives freedom to the users while also offers a proper sandboxing environments to do it in. It’s the best trade off for both: Finance, IT, Security, and the end user in which everybody wins.

However, time and technology, may need to catch up as I write this today.

Palo Alto (PA-200) Initial Thoughts

Posted by Senad on May 8, 2012
Posted in: Palo Alto Networks, Uncategorized. Tagged: . Leave a Comment
I got my PA-200 at home last night and played around with it.
To me it feels like the GUI intuition of an ASA and the CLI of JunOS combined into one (best of both worlds).
So granted I turned on all functionality in the lab but that’s running for a total of 4 people so I can’t see load stress tests but it works really well!
Pros I can see right off the bat in the environment:
  • Does URL Filtering (Cost Savings and management savings overhead reduction)
  • USER-ID gives you much more granularity about user utilization
  • APP-ID gives you information about app signatures and security utilization.
  • Spyware/Malware/AV/URL protection at the network level
  • Simple to figure out if you know ASA/JunOS configurations
  • IPS capabilities
  • Simplifying management can give you a great ROI potential
  • Many other features
Concerns are:
  • All in one devices…I have yet to have “good luck” with all in one devices. I’ll be trying to generate a packet flood scenario in the home lab to see what load looks like with all features turned on shortly. It won’t be 100% real world but with the tools I have it’s the closest I can get. I’ll also try to find some lab results accordingly.
I will be setting up a new lab between my ASA, SRX, and PA shortly to do some testing and configuration example during my free time…and of course will be sharing it out to followers accordingly.
Stay tuned!

Juniper SRX management routing-instance limitations

Posted by Senad on March 9, 2012
Posted in: Uncategorized. Leave a Comment

Having utilized routing-instances in the MX series to segregate management functions/protocols away from insecure internet sources I ran into an instance that’s quite unique to the SRX platform only.

Normally for management items on an MX series one would create a separate routing instance away from the routing instance (see image below). This allows for segregation and reduces potential security holes in your design.

Design Main Points:
Create a MGMT routing-instance and import/export ribs between the the main and mgmt inet.0 routing tables, NAT and re-route certain management protocols/functions (NTP, netconf, syslog, snmp, etc…) from the main routing table (inet.0) to mgmt.inet.0.

Note: This assumes that your company is very strict on opening ports and doing NAT device cross talk between your outside region. Valid in corporations with standards…not so much within smaller companies that don’t care for security of course.

SRX-Limitations(1)

Underlying Problem:
While most items can be re-routed and transferred over, one particular item is not doable on the SRX systems themselves.

If you want to use an internal ntp client to maintain and manage time for all of your server equipment SRX series routers simply cannot route ntp over any instance but the main one (IE. inet.0).

So why doesn’t it work on the SRX Series?
It’s the way the SRX bootup procedures are setup. It will always use the main routing table (inet.0).

KB Article:
http://kb.juniper.net/InfoCenter/index?page=content&id;=KB22499&actp;=RSS

The little things and difference are usually annoying so hopefully somebody will find this article in case they have similar designs and requirements.