Juniper entered the realm of
application firewalling since the release of Junos 11.4 (for SRX
platforms). A realm that is mainly dominated by Palo Alto (they
basically invented it) and Checkpoint, but more and more vendor's are
starting to move in on that territory.
And Juniper is one of those vendors that started to implement Application Firewalling (AppFW) on their (SRX) firewalls.
Posts filed under Security
Cisco ISE: Change of Authorization (CoA) not working
We had a wireless security implementation at a customer site which consisted of the following components:
- Cisco Wireless LAN Controllers
- Cisco Prime Infrastructure
- Cisco Identity Service Engine
The setup included a wireless lan for guest access by using the Cisco ISE guest portal functionality.
We
started by configuring the WLC's and ISE environment and having done
that everything worked as a charm. A couple of days later we we were not
able to connect to the wireless network.
The error reported in the ISE Authentications overview was:
Dynamic Authorization Failed : 11213 No responds received from Network Access Device
Juniper SRX With DNS Proxy Service Enabled
Since the release of Junos v12.1x44D10 for branche SRX firewalls, Juniper added a feature called DNS-Proxy. This features enables the Junos device as a caching DNS server with several additional options. One of those feature is to define a Fully Qualified Domain Name (FQDN) with an IP address which overrides (if it exists) the entry in the 'official' DNS system on the Internet.
Use One SSL Certificate in an ISPConfig3 Configuration
Last year I implemented an ISPConfig3 configuration for personal use. Mainly to host some e-mail domains, and perhaps some basic websites. This setup relatively easy to implement a should have been a breeze to maintain.... Untill I got an email from the provider last Tuesday, mentioning that my Linux VPS was attacking other hosts around the world..... *GASP*.. my VPS had (most likely) been assimilated into a botnet of some sort, and it was flooding a ton of other hosts.
Public DMZ Access From Within The Network
This post basically describes the technique of how to deal with traffic originating from the inside of a firewall, and directing the traffic over the external interface IP address to a different internal zone.
First a network overview of the things used in this setup.Filter / Block IP Addresses On A Juniper SRX
While exploring the configuration options on the Juniper SRX firewall, I stumbled upon the so-called firewall filters. These filters are not to be mistaken for the firewall policy rules. They are something different, but can be used for achieving similar goals.
In my case, I wanted to see if it was possible to quickly block a list of IP addresses (or subnets) without the hassle of creating addressbook entries (Address Sets). My list of IP addresses consists of known hosts that participate in the criminal ZeuS network. These IP addresses are either Command&Control servers or servers used to transfer (captured) data to. In any case, servers you don't want to communicate with.
The solution on the SRX is to create a firewall filter containing the list with hosts / networks. The filter, in my case, is applied to the outgoing interface (fe-0/0/0).Enable Global (Security) Logging On SRX Policies
Normally, one would enable logging on each security policy. If you have hundreds of policies, and you want/need logging for troubleshooting, it takes a while (and some serious) effort to enable this for all policies.
Ziggo Internet, Juniper Firewalls and DHCP
At the house I have currently two ISP delivering broadband. Well, broadband isn't the correct word, since the the one of them is only a mere 256kbps (I think). The other is a 'whopping' 20Mbps.
The 20Mb connection is provided by XS4ALL, and the 256kbps is for free (if you have a phone subscription with Ziggo). The 256kbp is the minimum they provide to transport the phone calls, but if you're a masochist you can also browse the internet over that connection.
So, two ISP @ home. Combine that with a Juniper SRX firewall, and a dual ISP setup is born. The theory of that setup is that I connect both ISP's to the firewall, and use the 20Mb line as a default internet connection, but when that one dies, I automatically get switched to the backup line (256kbps).
Junos Pulse, Apple iOS, and Split-Tunneling
When you create (SSL)VPN access for you employees, you might enable split-tunneling to save corporate bandwidth. No split-tunneling means that all traffic is forwarded into the VPN tunnel. So if you browse the internet with an active VPN, the traffic goes through the VPN, and accesses the Internet through the corporate Internet connection. This isn't a big problem with a couple of employees, but with hundreds on the road or working from home, this might frustrate the employees in the building.
Changing SSL Certificates in a ISPConfig v3 Configuration
When you install a Perfect Server based on Centos and ISPConfig v3.x, the system / 'installer' creates for the components self-signed certificates. All these certificates will generate different warnings in your browser, mail clients etc. So time to eliminate those warnings.
First I needed to find out where all those certificates are located, and what there formats are. In my case, there are three services that use SSL/TLS in some form;
- Postfix SMTP service
- Courier IMAP service
- http / Apache2 webservice
Checking the configuration files will reveal their locations.