Using EX Firewall Filters With UAC

Network Access Control (NAC) is hot in Enterprise environments. NAC offers an excellent mechanism to (safely) allow various devices network connectivity and staying in control as a network administrator. There are numerous ways to allow iOS devices, BYOD, CYOD, Corporate laptops onto your network without compromising valuable corporate resources.

In my line of work I deal with several vendors / solutions to create these NAC protected environments. The most popular at the moment are;

Identity Service Engine (ISE) from Cisco
Junos Pulse Access Control (UAC) Service from Juniper

Both solutions have their pro's and cons. Juniper has an excellent client for the desktop to safely connect to the network, and an integration with their SRX firewalls to (dynamically) enforce firewall policies on a per user basis. Cisco on the other hand has a more flexible way of creating access policies, and the use of so-called downloadable Access Lists (dACL).

Posted on December 20, 2013 by Willem and filed under Junos, Security, Tips'n Tricks and tagged Junos firewall filter Juniper dot1x RADIUS Pulse UAC NAC Network Access Control.

Quick And Dirty Juniper SRX IDP Test Config

When implementing a SRX IDP (Intrusion Detection and Prevention) configuration, you may want to check if everything is working properly. The 'default' templates supplied by Juniper can't be tested easily, since they protect your network from very specific attacks. Chances are small that you'll see one while you're testing.

I usually use a simple ICMP-TEST policy which will drop all ICMP traffic, and logs the event to a local file (for basic testing, but you'll want to forward these events to a syslog server).

IDP Config:

set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match from-zone any
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match source-address any
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match to-zone any
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match destination-address any
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match application default
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match attacks predefined-attacks ICMP:INFO:ECHO-REPLY
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match attacks predefined-attacks ICMP:INFO:ECHO-REQUEST
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 then action drop-packet
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 then notification log-attacks alert
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 then severity critical
set security idp active-policy ICMP-TEST

Add the IDP to the appropriate firewall rules and verify that your ICMP (ping) packets are being dropped.

Firewall rule example:

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services idp

If your ICMP packets aren't being dropped while 'pinging' to Google DNS (8.8.8.8), you dit something wrong :-)

Verification of IDP functionality in Splunk.

Posted on November 1, 2013 by Willem and filed under Junos, Security, Tips'n Tricks and tagged idp srx example.

I'm Published (sort of...)

Someone mentioned that they found a link to my website in a Juniper exam training PDF. Looks like I did a good job on describing the implementation of the Application Firewall feature in the Juniper SRX.

Here is the link to the actual article.

Posted on October 31, 2013 by Willem and filed under Junos, Personal, Security, Tips'n Tricks and tagged exam srx AppFW Juniper.

Junos Dual ISP Backup Route Configuration

The last couple of years, we've had two ISP's on premise. One (XS4ALL) for basic Internet Access via VDSL, and one our (VoIP) phone provided by Ziggo. The Ziggo phone services includes free (and ultra lite) Internet access through the use of their cable modem. It's ultra-lite, since it's only 256kbps. More than enough for VoIP, but not nearly enough for modern basic Internet access.

Having these two ISP's means that I should be able to provide some redundancy in case my primary DSL connection fails (for whatever reason). Preferably an automated fail-over of some kind. Since there are no dynamic protocols available from either ISP (the Internet service is consumer-grade), I have to find some work-around.

Posted on August 16, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged IP monitoring fail-over ISP dual isp Splunk Juniper.

Capture Network Traffic With Wireshark Under Ubuntu

When you install Wireshark on Ubuntu Linux you need to be root to be able to capture traffic. The standard user doesn't have enough privileges to do this.

A workaround for this is to add the user to a wireshark group and give the group special permissions. Afterwards, you're able to cpature traffic in Ubuntu with Wireshark, without needing root access.

The complete list of commands:

sudo groupadd wireshark

sudo usermod -a -G wireshark <YOUR-USER-NAME>

sudo chgrp wireshark /usr/bin/dumpcap

sudo chmod 750 /usr/bin/dumpcap

sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

sudo getcap /usr/bin/dumpcap

Just reboot, or log out and back in, and you're finished.

HAPPY CAPTURING

Posted on August 14, 2013 by Willem and filed under Linux, Tips'n Tricks and tagged wireshark ubuntu.

Choose Your Password (Language) With Care

When you want to use words / sentences in a password, it pays to use a non-English dictionary. Just check the Kaspersky blog on strong passwords., and try it for yourself.

The English word combination 'horse' and 'toad' are considered weaker than the Dutch equivalent ('paard' and 'pad').

Posted on August 5, 2013 by Willem and filed under Security, Tips'n Tricks and tagged password kaspersky strong dictionary strength.

Create a Juniper SRX ca-profile For Unified Access Control

When you have a registered Juniper UAC / IC appliance, you have to option to download a VMWare version of the system. This is called a DTE appliance (Development and Test Environment). With this you have a full-blown UAC at your disposal for testing and development. Only downside is that it's limited to 5 connected users. Apart from that, it's just like the real-deal.

Posted on July 30, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged xca srx UAC Unified Access Control PKI Juniper.

Kobo Glo Illuminated Screen

The Kobo and Sony e-reader both have excellent e-ink displays. No difference on that front. The biggest difference is the fact that the Kobo Glo has a build in light. This makes it possible to read in the dark. The following images show the difference of the screen compared to the Sony PRS-T2 with the following Kobo Glo lights settings;

No Light
Minimal Light (1%)
50% Light
100% Light

The photos were shot with an iPhone under poor light circumstances.

I have no problem with reading in the dark (pitch black) with the minimal light setting (1%). Just throw in more light if you need/want more contrast when reading in the dark.

Posted on July 26, 2013 by Willem and filed under Tips'n Tricks, Review, Gear and tagged Kobo Glo Sony PRS-T2 Screen Contrast Light illumination ereader.

Kobo Glo eBook Library Management With Calibre

Since the bookcase in our living room is is reaching its maximum capacity, we're moving from traditional books to e-books.

My wife already has the Sony PRS-T2 e-reader, and this week, I bought the Kobo Glo for myself. The reason for choosing the Kobo Glo is that it has an illuminated screen (which you can turn on and off). So it enables me to read in the dark. No need for an additional light. It does drain the battery faster if you enable the integrated light. Not as fast as I thought initially, but compared to the battery life of the Sony reader, the difference is significant (weeks instead of months).

This post won't review the Kobo Glo itself. There are numerous other reviews online available. So, if you're looking for an in-depth review, please follow this link and pick one of the search results.

This post goes into the e-book management for the e-reader. Especially on how to sort and display series (e.g. the Jack Reacher books by Lee Child). Even though the post describes the management for the Kobo (Glo), it's possible as valid for other e-readers. The (textual) information was gathered from several sources on the Internet (and added as a source of that information).

Posted on July 25, 2013 by Willem and filed under DRM, Tips'n Tricks, Review and tagged ebook calibre metadata ereader Kobo.

International Interest in My 'Brand'

This week, I found the following mail in my mailbox. Not really sure what the scam is, but I'm sure it's gonna cost me money....

(Letter to the President or Brand Owner, thanks)
Dear President,
We are a domain name registration and protection agency in Asia. I have something to confirm with you. We formally received an application on July 16,2013 that a company which self-styled"Togh International Co.,Ltd"were applying to register"redelijkheid"as their Brand Name and some domain names through our firm.
Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we will finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for"Togh International Co.,Ltd".Looking forward to your prompt reply.
Best Regards,
David Zhao
Tel:+86(0551)63434624
Fax:+86(0551)63434924
Address:HuiZhou Ave 999, Hefei, Anhui, China

Posted on July 19, 2013 by Willem and filed under Annoying, Personal, Tips'n Tricks and tagged 419 scam DES Service DSA Service.