Configure Application Firewalling On A Juniper SRX

Juniper entered the realm of application firewalling since the release of Junos 11.4 (for SRX platforms). A realm that is mainly dominated by Palo Alto (they basically invented it) and Checkpoint, but more and more vendor's are starting to move in on that territory.
And Juniper is one of those vendors that started to implement Application Firewalling (AppFW) on their (SRX) firewalls.

This post will show what needs to be done to enable AppFW, and how to configure those policies by using the J-Web interface and the CLI. The Junos software used in this exercise is version 12.1X44.4.

Posted on May 10, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged AppFW Juniper YouTube block srx application firewall example config configuration.

>30 Nerds In A Zoo

Last weekend, I hooked up with >30 (other) photogs/nerds/geeks/whateveryoucallthem in the Burgers' Zoo in Arnhem (NL). Objective to capture some animals (on film or digital media), and to talk about everything (but not limited to) related to photography.

I attended several of these meetings over the years, and I must say that these outings are always a lot of fun. This time I brought my Leica M9 (28mm, 35mm and 50mm), and my Nikon D300 (with the Nikkor 70-200 f/2.8 VR).

Apart from the mainstream gear that was around (Canon, Nikon with their $$$ L/Pro lenses), there were some oldies as well. A Canon VT rangefinder (with a rapidwinder in the bottom plate) from the early 50's, with some Canon 39mm screw lenses that were almost as old as the camera.

Posted on April 30, 2013 by Willem and filed under Personal, Photography and tagged Nikon Leica M9 Canon zoo photos.

Out of Ink? Buy a New Printer

A couple of years ago, I bought a Canon Pixma IP4500 printer for approx. €80. The reason for buying was that I was able to print documents (concert tickets, etc) and the occasional photo. Generally, I send my photos to a lab, so I don't need an expensive state-of-the-art photo printer.

Recently, I ran out of ink for the printer. The third time in three or four years. The IP4500 holds separate cartridges for each color. This means that I need to invest around €15 for each cartridge. Total costs: >€60.

While I was standing in the store, I saw a new Canon (color) printer for less than €50. This included the ink (for that model). Well, that was an easy decision. Out the 'old' printer and in a new multifunctional printer (Canon MG2250). It prints, scans and copies, while the old printer could only do one thing; print.

There are probably several persons out there that would recommend off-brand inks. Sure, it's possible to buy off-brand, but that introduces the hassle of:

removing of chips, and taping them to new containers, and/or
drilling holes to inject new ink into the container.
Resetting software by pressing 5 buttons with three fingers for 20 seconds to lure the printer into thinking that everything is alright. And this can (and will) re-occur very once in a while.

All that to save a couple of bucks. No thank you.

Anyway, I have a new printer (with ink), and the old one is heading for the garbage dump.
"Why not sell it", you ask? Well, no person will ever want to buy it (with no ink in it), since they can get a new printer WITH ink for less money. How fucked up is that?

I wonder if we will ever throw away a car, just because it ran out of petrol and buying a new car (with petrol) is cheaper.

Posted on April 13, 2013 by Willem and filed under Annoying, Hardware, Personal and tagged Canon Printer Ink.

Cisco ISE: Change of Authorization (CoA) not working

We had a wireless security implementation at a customer site which consisted of the following components:

The setup included a wireless lan for guest access by using the Cisco ISE guest portal functionality.

We started by configuring the WLC's and ISE environment and having done that everything worked as a charm. A couple of days later we we were not able to connect to the wireless network.
The error reported in the ISE Authentications overview was:

Dynamic Authorization Failed : 11213 No responds received from Network Access Device

Posted on April 2, 2013 by Willem and filed under Annoying, Security, Tips'n Tricks and tagged Cisco Prime ISE LAN wireless.

iOS: Move Contacts Between Address Books

This posts isn't for those who only use one address book on their IOS device. I, for example have two different address books on my iOS device. The first is my private iCloud address book with personal contacts. For my work I have an Exchange account, with the associated Exchange address book. This works fine when you're NOT creating contacts on the iOS device.

Posted on March 13, 2013 by Willem.

User Quota on Centos 6.x With ISPConfig3 Not Working

I implemented a ISPConfig3 config on Centos v6.x, but forgot to enable the user quota option. I did, however, install the quota module during the installation and configuration (# yum install quota).

Trying to enable the user quota options, I ran into several challenges;

My environment is based on a hosted virtual machine, and not a physical machine described in the various manuals.
Vague tips'n tricks regarding on how to enable user quota'

Posted on February 25, 2013 by Willem.

iPhone Stuck At Infinite Loop After iOS Update

The old iPhone 3G got stuck in an infinite restore loop after upgrading to iOS 6.1.2 this evening. As you might understand, the misses was not amused....

The infinite restore loop means that it keeps saying that it needs to be restored from within iTunes, but after doing that several times, you tend to loose faith. After trying it several times on a Windows laptop I tried it on my iMac. While it was restoring for the who knows how many times, I did some research on the Interwebs. The results were not encouraging.

I started gathering information, and some tools (like Tiny Umbrella) to break it from its infinite loop. After the restore the iPhone booted just fine. No idea what made it break its loop. Could be coincidence, could be my iMac. No idea.

Anyway, the misses is busy restoring the data. She (or iTunes) made a backup just before the backup. So all should be back to normal in a few minutes.

Posted on February 21, 2013 by Willem and filed under Apple, Annoying, Hardware, iPhone and tagged Infinite loop restore iOS.

Juniper SRX With DNS Proxy Service Enabled

Since the release of Junos v12.1x44D10 for branche SRX firewalls, Juniper added a feature called DNS-Proxy. This features enables the Junos device as a caching DNS server with several additional options. One of those feature is to define a Fully Qualified Domain Name (FQDN) with an IP address which overrides (if it exists) the entry in the 'official' DNS system on the Internet.

Posted on February 20, 2013 by Willem and filed under Tips'n Tricks, Security, Junos and tagged DNS Juniper Proxy Junos srx.

Use One SSL Certificate in an ISPConfig3 Configuration

Last year I implemented an ISPConfig3 configuration for personal use. Mainly to host some e-mail domains, and perhaps some basic websites. This setup relatively easy to implement a should have been a breeze to maintain.... Untill I got an email from the provider last Tuesday, mentioning that my Linux VPS was attacking other hosts around the world..... *GASP*.. my VPS had (most likely) been assimilated into a botnet of some sort, and it was flooding a ton of other hosts.

Posted on February 15, 2013 by Willem and filed under Software, Tips'n Tricks, Security and tagged ISPConfig Certificates Dovecot ssl.

Public DMZ Access From Within The Network

This post basically describes the technique of how to deal with traffic originating from the inside of a firewall, and directing the traffic over the external interface IP address to a different internal zone.

First a network overview of the things used in this setup.

Posted on February 2, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged NAT Juniper DMZ srx.