Did you notice that Juniper has updated their IDP policy templates?
First lets review the list of old of pre-defined templates..
blogger@SRX> show security idp policy-templates-list
Web_Server
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Lets check the version of that template..
blogger@SRX> show security idp security-package-version
Attack database version:2395(Wed Jul 2 18:14:04 2014 UTC)
Detector version :12.6.160140626
Policy template version :2192
Lets check and see whats available..
blogger@SRX> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2395(Detector=12.6.160140626, Templates=2395)
So you see, even if you are automatically updating the attack database that doesn't update the policy templates.
SRX NAT: Destination
Today we will have a look at some Destination NAT (DNAT) on the SRX with port translation.
We have the following network scenario..
In the this scenario we need to do DNAT using the actual external interface IP (192.168.200.200).
So the flows will go like this..
PRENAT POSTNAT
192.168.200.10 --> 192.168.200.200:8088 192.168.200.10 --> 10.31.254.17:80
192.168.200.10 --> 192.168.200.200:2088 192.168.200.10 --> 10.31.254.17:22
We have the following network scenario..
In the this scenario we need to do DNAT using the actual external interface IP (192.168.200.200).
So the flows will go like this..
PRENAT POSTNAT
192.168.200.10 --> 192.168.200.200:8088 192.168.200.10 --> 10.31.254.17:80
192.168.200.10 --> 192.168.200.200:2088 192.168.200.10 --> 10.31.254.17:22
CX111
I recently had the opportunity to test out a CX111.
Its a device that acts as a L2 bridge between a 3G/4G USB modem connected to one of 3 available USB ports on it and a single Ethernet port.
http://www.juniper.net/au/en/products-services/routing/srx-series/cx111/
Specifically I tested it with a Telstra 4G Sierra Wireless AirCard 320U.
And the results were great!
Its a device that acts as a L2 bridge between a 3G/4G USB modem connected to one of 3 available USB ports on it and a single Ethernet port.
http://www.juniper.net/au/en/products-services/routing/srx-series/cx111/
Specifically I tested it with a Telstra 4G Sierra Wireless AirCard 320U.
And the results were great!
SRX VPN: Multipoint
Happy New Year to all readers!
Today we are going to make a multipoint VPN.
One hub site (VPN-CORE) and 2 spokes sites (LEFTY and RIGHTY2). All devices are SRXs.
Multipoint is only supported with Route based VPNs so that's what we will be using and the key point to note is that the multipoint hub only uses a single tunnel interface regardless of the number of VPN tunnels.
In real life you probably wouldn't bother with multipoint for just 2 spokes but this is a lab so lets do it!
Here is the network we are working on..
We will want to get traffic between the 2 trust zones and the server-zone running over the VPN.
Today we are going to make a multipoint VPN.
One hub site (VPN-CORE) and 2 spokes sites (LEFTY and RIGHTY2). All devices are SRXs.
Multipoint is only supported with Route based VPNs so that's what we will be using and the key point to note is that the multipoint hub only uses a single tunnel interface regardless of the number of VPN tunnels.
In real life you probably wouldn't bother with multipoint for just 2 spokes but this is a lab so lets do it!
Here is the network we are working on..
We will want to get traffic between the 2 trust zones and the server-zone running over the VPN.
SRX UTM: Antivirus - Sophos
Here is a quick overview of getting Sophos AV working on an SRX
Sophos is the Cloud based solution and so needs an active Internet connection to work. This means the AV database is not stored locally on the SRX like Kaspersky. The SRX uses DNS queries to the Sophos Cloud to perform AV queries. We'll see later how these work.
Sophos can also perform URI content checking over HTTP to detect malware.This is essentially a reputataion check and can be disabled if you wish.
The Sophos solution should put less load on the SRX, processor and memory wise due to not having to download a giant AV database and run checks against it though it does cache responses to improve lookup performance.
Sophos is the Cloud based solution and so needs an active Internet connection to work. This means the AV database is not stored locally on the SRX like Kaspersky. The SRX uses DNS queries to the Sophos Cloud to perform AV queries. We'll see later how these work.
Sophos can also perform URI content checking over HTTP to detect malware.This is essentially a reputataion check and can be disabled if you wish.
The Sophos solution should put less load on the SRX, processor and memory wise due to not having to download a giant AV database and run checks against it though it does cache responses to improve lookup performance.
SRX VPN: Checkpoint to SRX Site-to-Site Policy Based.
Today we are going to take a look at a site to site VPN between a Checkpoint and an SRX.
We will focus more on configuration and testing rather than VPN theory as the Internet is full of great resources in that respect. No NAT in this one either to keep it more simple and just focused on the VPN side of things. We will do a seperate Blog for VPN troubleshooting.
Here is a layer 3 view of the network we will be using..
We will focus more on configuration and testing rather than VPN theory as the Internet is full of great resources in that respect. No NAT in this one either to keep it more simple and just focused on the VPN side of things. We will do a seperate Blog for VPN troubleshooting.
Here is a layer 3 view of the network we will be using..
SRX UTM: Antivirus - Kaspersky Full
There are currently 3 Antivirus solutions for the SRX all of which require a different license to activate:
* Kapersky
* Sophos
* Juniper Express
Briefly, some differences between the 3 options are:
Kaspersky
* Full file based AV
* Local signature database lookups. AV signatures downloaded as a package.
* Largest cpu performance impact
* Supports Intelligent Prescreening
Sophos
* Cloud based signature database which therefore requires..
* Constant Internet access needed for AV lookups.
* Moderate cpu perfomance impact
* No Prescreening
Juniper Express
* Less protection than the other 2 options
* Only protects against critical threats. Modified Kaspersky database.
* Does not reconstruct content prior to scanning
* Pattern matching based solution. No heuristics.
* No protection against polymorphic or metamorphic viruses
* Supports Intelligent Prescreening
Subscribe to:
Posts (Atom)