Search the Site

 

Top
Blog

My Social
Services
Meta
Powered by Squarespace

Entries in Security (68)

Thursday
Aug092012

Ziggo Internet, Juniper Firewalls and DHCP

DateThursday, August 9, 2012 at 18:20

At the house I have currently two ISP delivering broadband. Well, broadband isn't the correct word, since the the one of them is only a mere 256kbps (I think). The other is a 'whopping' 20Mbps.
The 20Mb connection is provided by XS4ALL, and the 256kbps is for free (if you have a phone subscription with Ziggo). The 256kbp is the minimum they provide to transport the phone calls, but if you're a masochist you can also browse the internet over that connection.

So, two ISP @ home. Combine that with a Juniper SRX firewall, and a dual ISP setup is born. The theory of that setup is that I connect both ISP's to the firewall, and use the 20Mb line as a default internet connection, but when that one dies, I automatically get switched to the backup line (256kbps).

Click to read more ...

AuthorWillem | CommentPost a Comment | Reference1 Reference |
tagged , , , , in , , , ,
Friday
Jun152012

Junos Pulse, Apple iOS, and Split-Tunneling

DateFriday, June 15, 2012 at 23:15

When you create (SSL)VPN access for you employees, you might enable split-tunneling to save corporate bandwidth. No split-tunneling means that all traffic is forwarded into the VPN tunnel. So if you browse the internet with an active VPN, the traffic goes through the VPN, and accesses the Internet through the corporate Internet connection. This isn't a big problem with a couple of employees, but with hundreds on the road or working from home, this might frustrate the employees in the building.

Click to read more ...

AuthorWillem | Comment2 Comments |
tagged , , , , , in , , ,
Saturday
Jan072012

Changing SSL Certificates in a ISPConfig v3 Configuration

DateSaturday, January 7, 2012 at 0:09

When you install a Perfect Server based on Centos and ISPConfig v3.x, the system / 'installer' creates for the components self-signed certificates. All these certificates will generate different warnings in your browser, mail clients etc. So time to eliminate those warnings.

First I needed to find out where all those certificates are located, and what there formats are. In my case, there are three services that use SSL/TLS in some form;

  1. Postfix SMTP service
  2. Courier IMAP service
  3. http / Apache2 webservice

Checking the configuration files will reveal their locations.

Click to read more ...

AuthorWillem | Comment1 Comment |
tagged , , , , in , , , ,
Wednesday
Jun082011

Microsoft Internet Explorer and IP Addresses in Certificate SAN

DateWednesday, June 8, 2011 at 22:55

A fairy long title, but it describes exactly what this post is about. Once again a post about a Microsoft product and the way it works (or rather doesn't work) with your average Internet standard.

This week I was busy with RADIUS, 802.1x, PKI and the protection of websites with SSL encryption. For the implementation of 802.1x, I needed a PKI environment, so I used the Microsoft Certificate Services for that purpose. Along the way, I needed an SSL certificate for an internal website, but this particular website needed to work properly based on different FQDN's and or IP addresses without throwing warining or errors regarding the SSL connection.

The way to do this is to add Subject Alternative Names (SAN) to the certificate. This enables you to access the website in different ways, e.g.;

  • Access a webmail host from the internet based on its official FQDN (https://webmail.somedomain.com)
  • Access the same webmail host from the inside of the corporate lan based on its internal name (https://webmail.acme.local)
  • And access the host from legacy DNS-unaware software on its IP address (https://192.168.1.254)

Click to read more ...

AuthorWillem | Comment2 Comments | Reference6 References |
tagged , , , , , , , in , , , ,
Friday
Mar112011

Dissecting SRX RT_FLOW Logs with Splunk

DateFriday, March 11, 2011 at 16:14

Now that I have a SRX running at home and a syslog server powered by Splunk (free version) it's time to be able to understand the logging. The raw logging is pretty unreadable for the average Joe. Thankfully, Splunk can be used to make more sense of it.

Downside is that I haven't found any add-ons / plugins etc. for Splunk to analyze the logging of a Juniper SRX firewall. There is a post on the Splunk forum which offers two regular expression which can be used to define the RT_FLOW fields.

Click to read more ...

AuthorWillem | Comment1 Comment |
tagged , , , in ,
Friday
Mar112011

Usefull Juniper SRX commands

DateFriday, March 11, 2011 at 11:27

This post contains several useful Junos SRX commands for the CLI. Mainly for myself, because I don't use those command regularly....

This post will be updated over time... Here it goes:

View session information:

root@srx100> show security flow session summary

Clear sessions through the firewall:

root@srx100> clear security flow session all

Switch to other node in a cluster via CLI (over the HA-link):

 root@srx100> request routing-engine login node 1

Click to read more ...

AuthorWillem | CommentPost a Comment |
tagged , , in ,
Friday
Mar112011

Configure SSL Certificate for Juniper J-Web Interface

DateFriday, March 11, 2011 at 10:03

By default, the J-Web interface (GUI for the Juniper SRX firewalls) has SSL enabled. Like most devices with SSL out-of-the-box, the protection is based on a self-signed certificate. Self-signed certificates are easy (they come basically out-of-the-box), but they tend to nag you every time you connect to the GUI. So, it's time to install a proper certificate.

In this case, I use the XCA (1) software to create a new certificate. This certificate is signed by my own root CA, which I installed on all of my devices and Operating Systems. Basically, I trust myself.....

According to the Juniper support pages on SSL certificate usage, I found out that the certificates are to be in the PEM format. No problem for XCA.

Click to read more ...

AuthorWillem | Comment2 Comments |
tagged , , , , , in , ,
Friday
Mar112011

AVN Fritzbox and the 'Exposed Host' Setting

DateFriday, March 11, 2011 at 1:08

The Fritzbox 7340 is the only real available VDSL modem/router in the Netherlands. Too bad, since it has some bugs (but what piece of software hasn't???). Fortunately, the router works well, just as long as you use it as the only networking device in your (small) network.

In the last couple of days I've been busy to add the Juniper SRX100 branch firewall to my local home network. The idea was the following:

  • The Fritzbox (FB) will remain the Internet router
  • My web/mail/ssh server is placed behind the SRX100
  • All the individual portforward rules in the Fritzbox are directed to the SRX100 by selecting the 'Exposed Host' in the FB.

Click to read more ...

AuthorWillem | Comment2 Comments |
tagged , , , , , , in , , , ,
Tuesday
Mar012011

Enable Juniper SRX Firewall Logging

DateTuesday, March 1, 2011 at 14:22

Juniper started to migrate their firewalls from Netscreen to the Junos environment 'a couple of' months back. The advantage is that there's a universal OS for routers, switches and firewalls. Just like Cisco IOS. The disadvantage is that the Junos OS is being adapted for the firewalls. So the foundations are there, but there are still lots of features missing and bugs are also still abundant.

The bugs are thankfully mostly related to the WebGUI. On the commandlinethe bugs are in the same league as the Cisco, Checkpoint and every other vendor bugs. No piece of software is perfect.

Click to read more ...

AuthorWillem | CommentPost a Comment |
tagged , , , in , , ,
Tuesday
Mar012011

Cisco Secure ACS 5.x and Apple OSX Directory (LDAP)

DateTuesday, March 1, 2011 at 13:50

For testing and development purposes I run a Cisco Secure ACS 5.x in a virtual machine at home. In this environment I also run an Apple Directory Service. I'll be using this setup to test several 802.1x and RADIUS authentication schemes.

To get things going I needed to connect to the ACS to my LDAP Directory. The Apple Directory Service is a bit different from the regular LDAP implementations. They seem to add the 'apple' reference in a lot of attribute values. Thankfully the ACS has a very versatile configuration interface.

Apple references in attribute valuesNormally, the group definition would be 'group' instead of 'apple-group'. So the configuration of the ACS should reflect these variations to the standard.

Click to read more ...

AuthorWillem | Comment4 Comments |
tagged , , , in , , ,
Page 1 2 3 4 5 ... 7 Next 10 Entries »