Use Cisco ISE for RADIUS Authentication with Juniper Junos Devices

While preparing for some Juniper exams, I wanted to test RADIUS authentication for Junos device access. This way of authenticating is helpful in larger networks. Instead of providing all the devices with several usernames and passwords you can use a centralized RADIUS server for authenticating on all those devices. If that RADIUS server uses the Active Directory as a user database you can login on your network devices using your regular username and password.

The RADIUS server of choice (at the moment of writing this) is Cisco Identity Service Engine (ISE). Overkill for this specific blog post, but fun to do.

Posted on January 22, 2014 by Willem and filed under Junos, Security, Tips'n Tricks and tagged Cisco ISE RADIUS Splunk.

Juniper SRX IDP Attack Log Investigation

Last week I fiddled with the IDP functionality on my SRX100H. I eventually installed a modified version of the so-called "Recommended" IDP policy. The full Recommended policy consumes to much memory on the SRX100H, so I had to remove some rules.

After installing the IDP policy I 'configured' Splunk to run reports on IDP Attack Events (IDP Attacks in the last 24 hours). This way I have a nice overview of the detected attacks.

Today I checked the logging, and to my surprise I found several IDP_ATTACK_LOG_EVENT entries in the log. This triggered my curiosity a bit.

Thankfully I use an NTP server for syncing all the devices around the house, so working backward shouldn't be too hard.

The IDP event was triggered by my iMac which had the 192.168.1.109 IP address at the time (hurray for DHCP logging). The reported exploit (HTTP:XSS:HTML-SCRIPT-IN-URL-VAR) is basically website related, so I started to dig through the browser history. Turned out that I visited the Victorinox website at the time looking for winter coats. During my visit at the website I tried to find a local store where they sell these items, but for some reason the 'Store Locator' thingy on the website didn't work. Now the logging explained why it didn't work.

It looks like they use a map-service (hosted on the destination address 199.16.46.10) in combination with some cross-site-scripting to deliver the functionality.

I tested this again, and indeed, every time I go to that website and try to locate a store, the same IDP_ATTACK_LOG_EVENT occurs.

In this case the cross-site-scripting (XSS) is relatively harmless. The use it to display a map with possible stores based on your query. Unfortunately, there are numerous other scenario's where this (XSS) isn't harmless.

Posted on November 11, 2013 by Willem and filed under Junos, Security and tagged idp Splunk Juniper.

Junos Dual ISP Backup Route Configuration

The last couple of years, we've had two ISP's on premise. One (XS4ALL) for basic Internet Access via VDSL, and one our (VoIP) phone provided by Ziggo. The Ziggo phone services includes free (and ultra lite) Internet access through the use of their cable modem. It's ultra-lite, since it's only 256kbps. More than enough for VoIP, but not nearly enough for modern basic Internet access.

Having these two ISP's means that I should be able to provide some redundancy in case my primary DSL connection fails (for whatever reason). Preferably an automated fail-over of some kind. Since there are no dynamic protocols available from either ISP (the Internet service is consumer-grade), I have to find some work-around.

Posted on August 16, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged IP monitoring fail-over ISP dual isp Splunk Juniper.

Upgrading Splunk on Ubuntu Linux

Just a small post with the instructions on upgrading Splunk on Ubuntu Linux.

First download the Splunk update. The Splunk website also gives you the wget command, which you can use directly on the Linux commandline.

Posted on November 10, 2011 by Willem and filed under Linux, Software, Tips'n Tricks and tagged Linux Splunk ubuntu upgrade.

Hostname and (Apple) Mail Server Dependencies

My Mac Mini with OSX Server had this thing that the hostname (as displayed in the Terminal app) would change after a reboot. Something that annoyed me tremendously. Thankfully there are several (Terminal) commands to change the hostname (back) to its 'original name'.

Since I wanted to change my hostname PERMANENTLY, I used the following command:

sudo scutil –set HostName new_hostname

This worked perfectly. Or so I thought.

Posted on June 29, 2011 by Willem and filed under Apple, Internet, Tips'n Tricks and tagged Splunk amavis amavisd hostname mail refused.

Dissecting SRX RT_FLOW Logs with Splunk

Now that I have a SRX running at home and a syslog server powered by Splunk (free version) it's time to be able to understand the logging. The raw logging is pretty unreadable for the average Joe. Thankfully, Splunk can be used to make more sense of it.

Downside is that I haven't found any add-ons / plugins etc. for Splunk to analyze the logging of a Juniper SRX firewall. There is a post on the Splunk forum which offers two regular expression which can be used to define the RT_FLOW fields.

Posted on March 11, 2011 by Willem and filed under Security, Tips'n Tricks and tagged Splunk logging srx Juniper.

Chinese Government Shows 'Interest'

It's no surprise that a lot of cyberattacks originate from the the 'excellent' People's Republic of China. Some of these attacks are funded by or even originating from the Chinese government. Well, the latter is definitely true.

My (private) ssh server is a point of interest to the Chinese government, since they are trying to get in.

Every couple minutes a possible break-in entry is recorded in my logs. I guess that they decided not to hammer the front door, in order to evade automatic blacklisting of the originating IP.

reverse mapping checking getaddrinfo for mail.zdpri.gov.cn [218.108.28.189] failed - POSSIBLE BREAK-IN ATTEMPT!

I checked the IP and it seems to host the web-mail for the Zhejang prov. Development Planning & Research Institute [1].

I guess it's time to tighten the timers on blacklisting.....

B.t.w. The reporting on the IP was provided by Splunk. Excellent tool for digging in logfiles and reporting.

Posted on November 18, 2010 by Willem and filed under Annoying, Security and tagged Splunk blacklisting chinese government sshd.

Splunk> Making Sense of Logfiles

My area of expertise in the professional world is Network Security. This includes protecting network from intrusions, but also delivering reports about the network status. For the latter we use SIEM(like) environments like the Cisco CS-MARS and the Juniper STRM.
The 'problem' with these devices is that they are great in reporting incidents and creating awesome reports about everything, but they lack the functionality to do some serious investigating.

I have several customers with a SIEM, and most of them still use (Linux) commandline tools like awk, grep, etc. these tools work, but you need to scrape everything together yourself, and building queries can be quite challenging. This is where Splunk> comes in.

Posted on July 13, 2010 by Willem and filed under Security, Software, Tips'n Tricks and tagged SIEM Splunk logfiles.