Running Secure
Monday 7 November 2022
Thursday 7 July 2011
JUNOS Pulse Gateway - MAG2600
Recently Juniper have brought out the JUNOS Pulse Gateway MAG series devices, at first I was unsure whether these were a replacement for the Juniper SA range or not. Additionally it is not easy to find any Juniper documentation that states that they do the same job.
Juniper do state that the MAG devices are SSL VPN boxes and the 2600 series for example (as it is on my desk) can sustain 100 concurrent users. As well as the SSL VPN function they can also be converted to perform NAC services but that is another discussion. The bottom line was that I needed to know whether it could perform all the other funky features such as secure meeting, virtual desktops, folder redirection, host checking etc. that were available on the SA boxes and which my clients love so much. I was aware that the MAG Series still uses IVE but needed to be certain that they could perform all the same tasks.
That being the case I was able to get a box on eval to play with.
For anyone that has used the SA boxes before then the principle is still the same. You console onto the box, set the networking, certificate and credentials. Then browse to the box via IP and login via the /admin page.
Thursday 30 June 2011
SRX IPv6 Basic Config
For the purposes of this example I am configuring an IPv6 network between one of my PC NICs and the SRX interface fe-0/0/1. As this is considered a private network I will be following RFC4193.
I am using the website http://www.sixxs.net/tools/grh/ula/ in order to generate an IPv6 Unique Local Address (ULA)
The assigned IPv6 address space I will be using is fd13:17d7:1ad6::/48
I will be using fd13:17d7:1ad6::1/48 for my local PC and fd13:17d7:1ad6::2/48 for the SRX. As my test PC is running Windows XP I had to start by installing the IPv6 stack and then configure my NIC using Netsh:
netsh interface ipv6>add address "Local Area Connection" fd13:17d7:1ad6::1
netsh interface ipv6>add route fd13:17d7:1ad6::/48 "Local Area Connection"
We now need to configure the SRX. As mentioned the configuration is on the fe-0/0/1 interface
root@host# set interfaces fe-0/0/1 unit 0 family inet6 address fd13:17d7:1ad6::2/48
At this point I have set up the addressing correctly however I will not be able to ping the SRX from my test PC as by default the SRX series or J series devices drops IPv6 traffic. To enable processing of IPv6 via zones, screens and policies I must enable flow-based forwarding for IPv6 traffic.
root@host# set security forwarding-options family inet6 mode packet-based
Once done I can confirm connectivity
Wednesday 29 June 2011
Tuesday 28 June 2011
SRX Static NAT - One to One
SRX Route Based VPN - Proxy IDs
The Config
In our example I am establishing a VPN with a Juniper SSG so in theory you can put anything in the Proxy IDs as long as both sides match. This is different when establishing with Cisco's or other vendors as they need to actually match the traffic being sent over the tunnel.
So in our example we are have a remote IP range of 10.10.11.0/24 and a local range of 172.16.201.0/24. However we are performing subnet overlap on the tunnel so to keep it in tune we are considering our local range of 192.222.222.0/24. That being the case the following code is used:
root@host# set security ipsec vpn LAB_VPN_01 ike proxy-identity local 192.222.222.0/24
root@host# set security ipsec vpn LAB_VPN_01 ike proxy-identity remote 10.10.11.0/24
Monday 27 June 2011
Best Practices for High Availability Deployments using IPS, SRX and AppSecure