Technical Musings on Networking Related Topics
My meager attempt to share some tips and tricks and other niceties picked up along the way. I'm primarily working with enterprise network firewalls and Windows server systems running on VMware virtualization. I'm fortunate to have had some great hands-on experience over the years resulting in the network version of bloody knuckles. My current environment has a lot of great technology and a strong company to run it for.
On the network side I'm running basically a IPSEC VPN hub and spoke network. We have about 90 mainland USA clinics and offices connecting to a datacenter rack provided by Sungard in Denver. Our Hawaii operation is frame relay among the islands with a T1 back to Denver from the Hawaii hub. We run mostly Sonicwall appliances but are in the process of migrating to route based VPN from the Juniper SSG line.
I'm a big Juniper fan also running the SSL-VPN and WAN accellerator products.
Server published to Public IP for both Trust & Untrust Connections
By Steve Puluka on 09-Jul-11 20:34. Comments (0)The local trust zone server has a public ip address assigned for accessing services. This has two policies created. One allows destination nat for the untrust internet traffic to access the services. The second allows local trust lan computers to access the same public ip address for these same services. This policy requires both source and destination nat.
ScreenOS – Dual WAN with OSPF on Two Sites
By Steve Puluka on 04-Jun-11 08:00. Comments (2)Each site has two internet connections and interfaces that allow route based VPNs to exist at the same time. Using OSPF route priorities the primary line is in use unless this fails. When the first tunnel fails the second will automatically take over. On restoration of the first line route priorities automatically revert to the primary line.
ScreenOS – Redundant Internet Connections on a Policy VPN
By Steve Puluka on 04-Jun-11 07:07. Comments (0)This configuration has a redundant internet link on one side of a policy based vpn connection. The creation of two gateways and a group allows for failover between the two links and setting one as the priority link.
ScreenOS – Remote Site Server Published on Local Site Public IP Address
By Steve Puluka on 03-Jun-11 16:23. Comments (1)Two sites are connected via a route based VPN, server site and public IP site. The local public ip site publishes a policy to allow internet access to the server. Traffic is forwarded down the vpn tunnel and the responses returned to the internet requester.
ScreenOS - Hub-Spoke VPN with mix of Policy and Route spoke sites
By Steve Puluka on 30-May-11 14:06. Comments (0)This hub and spoke setup allows multiple sites on either route or policy based VPN to connect to a common tunnel interface. This uses static routes and NHTB (Next hop Tunnel Binding) to direct traffic in the network. These allow the mixing of SSG and non-SSG policy based VPN on the same hub and spoke network.
ScreenOS - Initiating Factory Default
By Steve Puluka on 22-May-11 17:10. Comments (0)ScreenOS provide two methods to reset a device to the factory default settings. Hard reset (Pinhole reset) Soft reset (Console login) The pinhole reset method can be difficult to achieve if you do not have a console session going to see the prompts. As the process requires two times holding in the reset button at the correct intervals. This can be done by observing the lights but can be tricky to get the timing right.
ScreenOS - Remote Site Uses VPN to Core Site for Internet Access
By Steve Puluka on 22-May-11 09:38. Comments (1)Each site has internet access to establish the VPN connection. But all browsing from client machines on the remote site are directed to the core site. The process uses source based routing to force all requests from the remote LAN down the VPN to the core site gateway. On arrival at the core site the source address needs to be translated to a local core site LAN ip and then forwarded for internet access.
ScreenOS Configure Backup Internet for Failover
By Steve Puluka on 22-May-11 08:41. Comments (0)You can setup a second internet service as a configured backup line for use during failure on the primary line. This utilizes interface backup and the track-ip features of ScreenOS 6. This will automatically do the failover during the outage. This example assumes that ethernet0/0 is the current primary interface while ethernet0/1 is the new service interface.
ScreenOS IPSEC VPN Configurations
By Steve Puluka on 14-May-11 12:20. Comments (2)The screenOS platform offers two basic types of VPN for site-to-site tunnels, route based and policy based. The policy based option is what all standard VPN capable firewalls offer for connectivity. These create a simple point-to-point connection over the internet between the two sites and permit the traffic. Route based options add a layer of flexibility to the connection. These permit the use of standard routing features like BGP or OSPF across the tunnel and allow deny policies and more ganular traffic control on the connection.
ScreenOS Wireless RADIUS Authentication
By Steve Puluka on 20-Dec-10 21:28. Comments (0)Create a RADIUS authentication wireless segment on a ScreenOS firewall. This uses the Microsoft IAS server component that is free with Windows server 2003. The configuration does require a active directory domain and a Microsoft certificate authority. All components are included with the Server 2003 OS and can be installed on a single server.
JUNOS OOB Management
By Steve Puluka on 05-Dec-10 15:37. Comments (0)Most JUNOS based equipment provides a dedicated management ethernet port to create a separate management network. This allows connection and management of the devices independent on the operation and access of the production network. This access does not prevent the remote access and management of the devices from the production network only provide the dedicated management network for access. This technique uses a firewall filter (stateless packet filters) to secure the device against access from the production network so that only management network access is permitted.
ScreenOS: Configure Guest External WAP Segment
By Steve Puluka on 27-Nov-10 14:50. Comments (0)Provide a Guest Wireless Access Point (WAP) on a non-wireless enabled SSG firewall. Configured with a security zone guestwifi that has internet access only and no allowed connections to other segments.
ScreenOS Configure Logging to USB Device
By Steve Puluka on 27-Nov-10 14:30. Comments (0)The built in flash on the firewalls have limited storage for log files. These are automatically over written as space runs out on the device. Adding a USB drive stick can increase the amount of log space available on the firewall.
Juniper SSL VPN Certification
By Steve Puluka on 11-Nov-10 17:16. Comments (0)Another certification under my belt, I've picked up one on the SSL VPN products for Juniper in November 2010. These are the full service line of client proxy VPN access. I've just completed the JNCIS-SSL (Juniper Networks Certified Internet Specialist SSL-VPN). I used the following resources to prepare for the exam.
Add WXC to Active/Passive Router
By Steve Puluka on 24-Oct-10 17:26. Comments (0)The diagram notes the before and after network logical diagram for the site. The before scenario shows the standard active/passive cluster connecting to both the internal and external vlan segments. The after diagram inserts the WXC device between the cluster devices and the local LAN in a way that insures all traffic remains in-line.
Branch Office VPN with WAN Accelerator
By Steve Puluka on 16-Oct-10 09:36. Comments (0)The WXC WAN Accelerator product can operate in-line or off-path mode. The in-line mode is simplest to setup where all traffic from the site passes through the device. Acceleration tunnels are created between the branch office device and the data center device. This in-line deploy on a branch firewall requires that all ports for the branch LAN be on the local port side of the WXC device. Generally this means only one port on the firewall will be used for the remote connection of the WXC and all local devices are then connected to switch(es) on the local interface side of the WXC
Configuration of Auto-Complete VPN with OSPF
By Steve Puluka on 16-Oct-10 08:56. Comments (0)The combines two of the convenience vpn features on the ScreenOS platform, dynamic routing protocol vpn and the on demand auto-complete vpn between spokes on a hub and spoke network. This allows a relatively standard spoke configuration process where only a few parameters are changed in the creation of a new spoke. But when the new site is added to the network full routing is established and efficient direct tunnels are created as needed.
Juniper ScreenOS Firewall Software
By Steve Puluka on 30-Sep-10 16:20. Comments (0)More certification updates on the Juniper firewall products. I'm using the SSG series of firewalls that run the ScreenOS operating system. I just completed the JNCIS-FWV (Juniper Networks Certified Internet Specialist-Firewall. I used the following resources.
Juniper Networks and JUNOS Software
By Steve Puluka on 24-Jun-09 20:14. Comments (2)Last year I discovered Juniper Networks through the happy chance encounter that my current boss engineered. She was looking for vendors that support WAN Acceleration since we run all our services at a remote data center with everyone accessing them over WAN links. While this was the purpose of the meeting I had been struggling with the management and technical limitations of the existing network architecture for some time. The short version is that the system was conceived as a 30-50 office network that has already grown to nearly 100 with 250 in our 3-5 year plan.
