REDELIJKHEID
A while back I wrote a blog post about enabling global logging on security rules. This week I applied the same technique to enable ping on all zones for testing / troubleshooting purposes.
Instead
of adding ping as a host-inbound-traffic system-service to all zones,
and if you have a couple this means some configuring, you can solve this
by adding just 3 (three) lines of config to the firewall.
Juniper entered the realm of
application firewalling since the release of Junos 11.4 (for SRX
platforms). A realm that is mainly dominated by Palo Alto (they
basically invented it) and Checkpoint, but more and more vendor's are
starting to move in on that territory.
And Juniper is one of those vendors that started to implement Application Firewalling (AppFW) on their (SRX) firewalls.
We had a wireless security implementation at a customer site which consisted of the following components:
The setup included a wireless lan for guest access by using the Cisco ISE guest portal functionality.
We
started by configuring the WLC's and ISE environment and having done
that everything worked as a charm. A couple of days later we we were not
able to connect to the wireless network.
The error reported in the ISE Authentications overview was:
Dynamic Authorization Failed : 11213 No responds received from Network Access Device
Since the release of Junos v12.1x44D10 for branche SRX firewalls, Juniper added a feature called DNS-Proxy. This features enables the Junos device as a caching DNS server with several additional options. One of those feature is to define a Fully Qualified Domain Name (FQDN) with an IP address which overrides (if it exists) the entry in the 'official' DNS system on the Internet.
Last year I implemented an ISPConfig3 configuration for personal use. Mainly to host some e-mail domains, and perhaps some basic websites. This setup relatively easy to implement a should have been a breeze to maintain.... Untill I got an email from the provider last Tuesday, mentioning that my Linux VPS was attacking other hosts around the world..... *GASP*.. my VPS had (most likely) been assimilated into a botnet of some sort, and it was flooding a ton of other hosts.
This post basically describes the technique of how to deal with traffic originating from the inside of a firewall, and directing the traffic over the external interface IP address to a different internal zone.
First a network overview of the things used in this setup.while taking a photo will create (in general) photos that most people will throw away the instant they see it. You can however exaggerate the moving part on purpose, and create some nice abstract photos (as shown below).
Note that you need to adjust the amount and direction of motion to the circumstances. Another important part is the shutter time in relation to how fast your moving / tilting the camera. This must be long enough to create the blurring part.
Just try it.
While exploring the configuration options on the Juniper SRX firewall, I stumbled upon the so-called firewall filters. These filters are not to be mistaken for the firewall policy rules. They are something different, but can be used for achieving similar goals.
In my case, I wanted to see if it was possible to quickly block a list of IP addresses (or subnets) without the hassle of creating addressbook entries (Address Sets). My list of IP addresses consists of known hosts that participate in the criminal ZeuS network. These IP addresses are either Command&Control servers or servers used to transfer (captured) data to. In any case, servers you don't want to communicate with.
The solution on the SRX is to create a firewall filter containing the list with hosts / networks. The filter, in my case, is applied to the outgoing interface (fe-0/0/0).Normally, one would enable logging on each security policy. If you have hundreds of policies, and you want/need logging for troubleshooting, it takes a while (and some serious) effort to enable this for all policies.
Looks like Adobe is giving away the (old) Creative Suite 2 for both Windows and Mac. The CS2 download page contains direct links to all the CS2 products (individual products and the entire Creative Suite 2 installer) AND their license keys.
| Product | License Key |
|---|---|
| Photoshop CS2 [Mac] | 1045-0410-5403-3188-5429-0639 |
| Photoshop CS2 [Win] | 1045-1412-5685-1654-6343-1431 |
So if you would like to experiment with Photoshop (legally), but don't want to pay a premium price, this is one way of doing it.
There are some caveats you need to consider: