Technical Musings on Networking Related Topics

My meager attempt to share some tips and tricks and other niceties picked up along the way. I'm primarily working with enterprise network firewalls and Windows server systems running on VMware virtualization. I'm fortunate to have had some great hands-on experience over the years resulting in the network version of bloody knuckles. My current environment has a lot of great technology and a strong company to run it for.

On the network side I'm running basically a IPSEC VPN hub and spoke network. We have about 90 mainland USA clinics and offices connecting to a datacenter rack provided by a Colo vendor. One  regional operation is MPLS with a T1 back to datacenter from the regional hub. We run mostly Sonicwall appliances but are in the process of migrating to route based VPN from the Juniper SSG line.

I'm a big Juniper fan also running the SSL-VPN and WAN accellerator products.

IPv4 Address Exhaustion

By Steve Puluka on 23-Apr-16 09:24. Comments (0)

When TCP/IP version 4 was published in 1981 (RFC 791-3) the four byte 4.2 billion addresses seemed like a limitless resource in our nascent networked world.

Critical ScreenOS Security Flaw

By Steve Puluka on 20-Dec-15 15:46. Comments (10)

To my friends running ScreenOS from Juniper, please review this critical security notice. These issues can affect any product or platform running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. The first issue allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system. The second issue may allow a knowledgeable attacker to decrypt encrypted VPN traffic.

Junos Disaggregation

By Steve Puluka on 16-Nov-15 21:15. Comments (0)

For years Juniper has been passing out these stickers in various form factors proclaiming, I Wish This Ran Junos. I’ve saved one of every type I ever layer my hands on for my home office desk collection pictured here. Now this whimsy is coming true.

Juniper Design Certification

By Steve Puluka on 16-Aug-15 12:20. Comments (0)

I’ve added a new certifcation to the resume, JNCDA - Juniper Networks Certificed Design Associate. I’ve always been a big believer in formal learning in my engineering career.

Juniper Learning Bytes: Playlists

By Steve Puluka on 20-Jan-14 10:30. Comments (0)

Juniper Learning Bytes is a large collection of short videos demonstrating how to use Juniper products. This is a collection of YouTube playlists that seeks to organize the Juniper Learning Bytes into related collections by topic.

Updates in url filtering may be delayed by days in application to sessions

By Steve Puluka on 24-Nov-13 21:05. Comments (0)

Updates to url categorization and blocks do not immediately apply to all urls being filtered. The local cache on the Palo Alto firewall keeps the categorization and action for a url for the time period specified in the cache option.

Active/Active Cluster Physical Interface Changes Sync to Opposite Node on Commit

By Steve Puluka on 24-Nov-13 20:58. Comments (0)

When making changes to the physical interface parameters in an Active/Active cluster, the state changes will sync to the opposite node on commit. The affected interface on the opposite node will change shortly after the commit completes on the node where the change is physically made.

Enterprise Security Lab

By Steve Puluka on 30-Mar-13 10:45. Comments (0)

Juniper launched a riff on March Madness in 2013 they call "Lab Madness" asking for contributions on lab setups. I don't really have an extensive or expensive setup, but I have found that working in my personal lab increased my confidence and knowledge about how systems interact. My small setup was eliminated in the first round, but this still inspired me to start thinking more formally about my lab work and how working in a lab helps me learn.

Juniper Security Certification

By Steve Puluka on 03-Mar-13 11:53. Comments (0)

I have always been a big believer in life-long learning or on-going education in my chosen spheres of work. For most of my engineering career this has taken the form of reading books, trade publications and doing lab exercises to keep my knowledge current for areas that affect my work. This has worked well for me in general and I’ve been able to apply that new found knowledge along the way.

Juniper Ambassador Program

By Steve Puluka on 15-Aug-12 18:33. Comments (0)

In August of 2012 Juniper created the Ambassador program to recognize community members that show a strong commitment to help others with their networking needs. I'm happy to be one of the first seven community members selected to be part of this program.

Enterprise Routing & Switching Course

By Steve Puluka on 17-Jun-12 14:20. Comments (1)

This course is the first in the Enterprise Routing & Switching curriculum. These lectures are recorded from the original Operating Juniper Routers & Switches courses. But below are the links for the current incarnations of this same material revised and updated.

Introduction to ScreenOS Class

By Steve Puluka on 20-May-12 10:01. Comments (2)

This course is the first in the ScreenOS curriculum. The course focuses on configuration of the ScreenOS firewall/virtual private network (VPN) products in a variety of situations, including basic administrative access, routing, firewall policies and policy options, attack prevention features, address translation, and VPN implementations.

Server published to Public IP for both Trust & Untrust Connections

By Steve Puluka on 09-Jul-11 20:34. Comments (0)

The local trust zone server has a public ip address assigned for accessing services. This has two policies created. One allows destination nat for the untrust internet traffic to access the services. The second allows local trust lan computers to access the same public ip address for these same services. This policy requires both source and destination nat.

ScreenOS – Dual WAN with OSPF on Two Sites

By Steve Puluka on 04-Jun-11 08:00. Comments (2)

Each site has two internet connections and interfaces that allow route based VPNs to exist at the same time. Using OSPF route priorities the primary line is in use unless this fails. When the first tunnel fails the second will automatically take over. On restoration of the first line route priorities automatically revert to the primary line.

ScreenOS – Redundant Internet Connections on a Policy VPN

By Steve Puluka on 04-Jun-11 07:07. Comments (0)

This configuration has a redundant internet link on one side of a policy based vpn connection. The creation of two gateways and a group allows for failover between the two links and setting one as the priority link.

ScreenOS – Remote Site Server Published on Local Site Public IP Address

By Steve Puluka on 03-Jun-11 16:23. Comments (1)

Two sites are connected via a route based VPN, server site and public IP site. The local public ip site publishes a policy to allow internet access to the server. Traffic is forwarded down the vpn tunnel and the responses returned to the internet requester.

ScreenOS - Hub-Spoke VPN with mix of Policy and Route spoke sites

By Steve Puluka on 30-May-11 14:06. Comments (0)

This hub and spoke setup allows multiple sites on either route or policy based VPN to connect to a common tunnel interface. This uses static routes and NHTB (Next hop Tunnel Binding) to direct traffic in the network. These allow the mixing of SSG and non-SSG policy based VPN on the same hub and spoke network.

ScreenOS - Initiating Factory Default

By Steve Puluka on 22-May-11 17:10. Comments (0)

ScreenOS provide two methods to reset a device to the factory default settings. Hard reset (Pinhole reset) Soft reset (Console login) The pinhole reset method can be difficult to achieve if you do not have a console session going to see the prompts. As the process requires two times holding in the reset button at the correct intervals. This can be done by observing the lights but can be tricky to get the timing right.

ScreenOS - Remote Site Uses VPN to Core Site for Internet Access

By Steve Puluka on 22-May-11 09:38. Comments (1)

Each site has internet access to establish the VPN connection. But all browsing from client machines on the remote site are directed to the core site. The process uses source based routing to force all requests from the remote LAN down the VPN to the core site gateway. On arrival at the core site the source address needs to be translated to a local core site LAN ip and then forwarded for internet access.

ScreenOS Configure Backup Internet for Failover

By Steve Puluka on 22-May-11 08:41. Comments (5)

You can setup a second internet service as a configured backup line for use during failure on the primary line. This utilizes interface backup and the track-ip features of ScreenOS 6. This will automatically do the failover during the outage. This example assumes that ethernet0/0 is the current primary interface while ethernet0/1 is the new service interface.

ScreenOS IPSEC VPN Configurations

By Steve Puluka on 14-May-11 12:20. Comments (2)

The screenOS platform offers two basic types of VPN for site-to-site tunnels, route based and policy based. The policy based option is what all standard VPN capable firewalls offer for connectivity. These create a simple point-to-point connection over the internet between the two sites and permit the traffic. Route based options add a layer of flexibility to the connection. These permit the use of standard routing features like BGP or OSPF across the tunnel and allow deny policies and more ganular traffic control on the connection.

ScreenOS Wireless RADIUS Authentication

By Steve Puluka on 20-Dec-10 21:28. Comments (2)

Create a RADIUS authentication wireless segment on a ScreenOS firewall. This uses the Microsoft IAS server component that is free with Windows server 2003. The configuration does require a active directory domain and a Microsoft certificate authority. All components are included with the Server 2003 OS and can be installed on a single server.

JUNOS OOB Management

By Steve Puluka on 05-Dec-10 15:37. Comments (0)

Most JUNOS based equipment provides a dedicated management ethernet port to create a separate management network. This allows connection and management of the devices independent on the operation and access of the production network. This access does not prevent the remote access and management of the devices from the production network only provide the dedicated management network for access. This technique uses a firewall filter (stateless packet filters) to secure the device against access from the production network so that only management network access is permitted.

ScreenOS: Configure Guest External WAP Segment

By Steve Puluka on 27-Nov-10 14:50. Comments (0)

Provide a Guest Wireless Access Point (WAP) on a non-wireless enabled SSG firewall. Configured with a security zone guestwifi that has internet access only and no allowed connections to other segments.

ScreenOS Configure Logging to USB Device

By Steve Puluka on 27-Nov-10 14:30. Comments (1)

The built in flash on the firewalls have limited storage for log files. These are automatically over written as space runs out on the device. Adding a USB drive stick can increase the amount of log space available on the firewall.

Juniper SSL VPN Certification

By Steve Puluka on 11-Nov-10 17:16. Comments (0)

Another certification under my belt, I've picked up one on the SSL VPN products for Juniper in November 2010. These are the full service line of client proxy VPN access. I've just completed the JNCIS-SSL (Juniper Networks Certified Internet Specialist SSL-VPN). I used the following resources to prepare for the exam.

Add WXC to Active/Passive Router

By Steve Puluka on 24-Oct-10 17:26. Comments (0)

The diagram notes the before and after network logical diagram for the site. The before scenario shows the standard active/passive cluster connecting to both the internal and external vlan segments. The after diagram inserts the WXC device between the cluster devices and the local LAN in a way that insures all traffic remains in-line.

Branch Office VPN with WAN Accelerator

By Steve Puluka on 16-Oct-10 09:36. Comments (0)

The WXC WAN Accelerator product can operate in-line or off-path mode. The in-line mode is simplest to setup where all traffic from the site passes through the device. Acceleration tunnels are created between the branch office device and the data center device. This in-line deploy on a branch firewall requires that all ports for the branch LAN be on the local port side of the WXC device. Generally this means only one port on the firewall will be used for the remote connection of the WXC and all local devices are then connected to switch(es) on the local interface side of the WXC

Configuration of Auto-Complete VPN with OSPF

By Steve Puluka on 16-Oct-10 08:56. Comments (0)

The combines two of the convenience vpn features on the ScreenOS platform, dynamic routing protocol vpn and the on demand auto-complete vpn between spokes on a hub and spoke network. This allows a relatively standard spoke configuration process where only a few parameters are changed in the creation of a new spoke. But when the new site is added to the network full routing is established and efficient direct tunnels are created as needed.

Juniper ScreenOS Firewall Software

By Steve Puluka on 30-Sep-10 16:20. Comments (1)

More certification updates on the Juniper firewall products. I'm using the SSG series of firewalls that run the ScreenOS operating system. I just completed the JNCIS-FWV (Juniper Networks Certified Internet Specialist-Firewall. I used the following resources.

Juniper Networks and JUNOS Software

By Steve Puluka on 24-Jun-09 20:14. Comments (5)

Last year I discovered Juniper Networks through the happy chance encounter that my current boss engineered. She was looking for vendors that support WAN Acceleration since we run all our services at a remote data center with everyone accessing them over WAN links. While this was the purpose of the meeting I had been struggling with the management and technical limitations of the existing network architecture for some time. The short version is that the system was conceived as a 30-50 office network that has already grown to nearly 100 with 250 in our 3-5 year plan.