Network Security Archives — Page 2 of 2

Typical access-list on edge router

This is typical ACL which you can configure on the Public interface of your router in the Inbound direction.

ip access-list EDGE_ROUTER_FW_IN
 
remark ***DENY_FRAGMENTS***
deny tcp any PUBLIC_NETWORK fragments
deny udp any PUBLIC_NETWORK fragments
 
remark ***DENY_RFC3330***
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
 
remark ***DENY_RFC1918***
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
 
remark ***DENY_SPOOFING***
deny ip PUBLIC_NETWORK any
 
remark ***PERMIT_PEERS****
permit tcp host PEER host ROUTER eq bgp
 
remark ***PROTECT_INFRA***
deny ip any INFRA_NETWORK
 
remark ***PERMIT_PUBLIC_NETWORK***
permit ip any PUBLIC_NETWORK

Share this!

Internet routing table and damping on JunOS

To get an idea about the current number of Internet routes, for both IPv4 and IPv6:

moghaddas@USA> show route summary | match "inet|bgp"  
 
inet.0: 560133 destinations, 1663174 routes (558798 active, 0 holddown, 1525 hidden)
                 BGP: 1663124 routes, 558752 active
 
inet6.0: 24047 destinations, 47458 routes (23459 active, 0 holddown, 851 hidden)
                 BGP:  47444 routes,  23447 active

moghaddas@GER> show route summary | match "inet|bgp"
 
inet.0: 541278 destinations, 965338 routes (541118 active, 0 holddown, 206 hidden)
                 BGP: 965308 routes, 541091 active
 
inet6.0: 22658 destinations, 38527 routes (22558 active, 0 holddown, 104 hidden)
                 BGP:  38516 routes,  22549 active

moghaddas@IRE> show route summary | match "inet|bgp"
 
inet.0: 545571 destinations, 1547251 routes (545111 active, 0 holddown, 1237 hidden)
                 BGP: 1547185 routes, 545062 active
 
inet6.0: 23065 destinations, 65881 routes (23026 active, 0 holddown, 90 hidden)
                 BGP:  65860 routes,  23008 active

Now, imagine what would be the outcome of route flaps for a Service Provider environment with many eBGP neighbors. Instability and customer dissatisfaction!

The first solution to avoid such situations is BGP Route Dampening/Damping. Continue reading “Internet routing table and damping on JunOS”

Share this!

Renaming security policies on JunOS

Be careful while renaming a security policy on JunOS, since it will close the current session.

Unfortunately, what JunOS does, is removing the old-named policy and adds a new one.

I tried also with adding a new policy, inserting it before the old one, commit, then removing the old one and commit. But again interruption, which logically makes sense.

Test environment: JunOS 12.1X44-D35.5 on a SRX240h

UPDATE:
I tried on vsrx firefly-perimeter with JunOS 12.1X47-D20.7 and faced no drop!

Share this!

HowTo : Hardening GRUB

What is GRUB? Let’s ask Wikipedia:

GNU GRUB (short for GNU GRand Unified Bootloader) is a boot loader package from the GNU Project.

GRUB is the easiest way to hack into Linux systems!

First option to break into a Linux system is to edit the line ro quite splash as rw init=/bin/bash during system startup (usually triggered by pressing “e” on the list).
Second option would be using the Recovery Mode.

So the solution is to disable the Password Recovery option and set a password for GRUB.

Disabling Recovery in GRUB

root@debian:~# nano /etc/default/grub
....
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY="true"
....
root@debian:~# update-grub

Setting a Password for GRUB

Creating a rescue copy of the file:

root@debian:~#cp /etc/grub.d/00_header /etc/grub.d/00_header.backup

Creating a GRUB Password:

root@debian:~#grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is grub.pbkdf2.sha512.10000.D01A1ABD624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD1BDA1C0E1274EA0F53DC466100653C2BB164937D6D9932D90BC18F2F03C1E765389A8.F0C2399E571D1BFA6DD9107F031DEBF9BB1C0C15531CBCEA95C31D9CDA2FEBBCBF4BEE14AFA17CED8B2BA7800DC451BA7A0B222265B2CB69D590A2B11C0CE12B

Copy the output starting with grub.pbkdf2. and save it in a file:

root@debian:~# echo grub.pbkdf2.sha512.10000.D01A1ABD624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD1BDA1C0E1274EA0F53DC466100653C2BB164937D6D9932D90BC18F2F03C1E765389A8.F0C2399E571D1BFA6DD9107F031DEBF9BB1C0C15531CBCEA95C31D9CDA2FEBBCBF4BEE14AFA17CED8B2BA7800DC451BA7A0B222265B2CB69D590A2B11C0CE12B > GRUP_PASSWORD

Add the following to the end of 00_header file:

cat << EOF set superusers=” password pbkdf2 PASSWORD grub.pbkdf2.sha512.10000.D01A1ABD624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD1BDA1C0E1274EA0F53DC466100653C2BB164937D6D9932D90BC18F2F03C1E765389A8.F0C2399E571D1BFA6DD9107F031DEBF9BB1C0C15531CBCEA95C31D9CDA2FEBBCBF4BEE14AFA17CED8B2BA7800DC451BA7A0B222265B2CB69D590A2B11C0CE12B EOF
root@debian:~# update-grub

Share this!

How-To: Destination NAT in JunOS

You are asked to publish a local website on an external network such as Internet, and you have to do it in a secure manner using the SRX firewall at your office.

The procedure is pretty straight forward.

Local host’s zone (Local IP) : show route and show interface
Find out to which External (Global) IP address you should apply the D-NAT
External access zone (Global IP) : show route and show interface
OPTIONAL: Create “security address-book global” entries for source/destination addresses
If you are Port-Forwarding: Create an “application“
Define a “security policy“ from EXTERNAL zone to LOCAL zone, matching the source (external hosts), destination (local hosts) and application (local hosts’ protocol/port) parameters and then set the action as permit
Create a “NAT Destination Pool” for the Local IP and if Port Forwarding add the service’s port
Define a “security nat destination rule-set rule” matching the source (external hosts), destination (local hosts) and destination-port (local hosts’ port) parameters and then set the “destination-nat pool” to the pool created in last step

Below you will find a sample snippet of the configuration:

moghaddas@srx# show configuration | compare rollback 3
[edit security address-book global]
+ address EXTERNAL1 1.1.1.1/32;
+ address EXTERNAL2 2.2.2.2/32;
+ address LOCAL-WEB 192.168.3.3/32;
 
[edit security address-book global]
+ address-set EXTERNALs {
+    address EXTERNAL1;
+    address EXTERNAL2;
+ }
[edit security nat destination]
+ pool LOCAL-WEB {
+    address 192.168.3.3/32 port 80;
+ }
 
[edit security nat destination rule-set EXTERNAL_TO_LOCAL-DNAT]
+ rule EXTERNALs_TO_LOCAL-WEB {
+    description "YOU CAN WRITE SOME INFO HERE AS DESCRIPTION";
+    match {
+       source-address-name EXTERNALs;
+       destination-address 3.3.3.3/32;
+       destination-port 80;
+    }
+    then {
+       destination-nat pool LOCAL-WEB;
+    }
+ }
 
[edit security policies from-zone EXTERNAL to-zone LOCAL]
+ /* YOU CAN ANNOTATE SOME INFO HERE */
+ policy EXTERNALs_TO_LOCAL-WEB {
+    match {
+       source-address EXTERNALs;
+       destination-address LOCAL-WEB;
+       application LOCAL-WEB-app;
+    }
+    then {
+       permit;
+    }
+ }
 
[edit applications]
+ application LOCAL-WEB-app {
+    protocol tcp;
+    destination-port 80;
+ }

Share this!