Mike's blog

Many times have I seen engineers frustrated with getting a VPN tunnel between a Cisco and Juniper device. Often it is the Juniper side which is left to resolve the problem because the Cisco guy has never had a problem before, It should just work!!

All very nice however not all VPN devices are created equal. Know your device!

Let's take two security devices: Juniper SRX and a Cisco ASA

The ASA has one method for IPsec which is cryptomap. If we decode this into an easier to understand term it means Policy based VPN.

The Juniper SRX has two methods:

• Policy based VPN
• Route based VPN

Juniper has had the SRX out for almost 2 years now however there are still some mysteries surrounding the device especially in context with the SSG.

The SRX is a new firewall/security product based on JunOS. This is the successor to the ScreenOS based SSG firewall. The SRX takes all the features of ScreenOS and transplants them into JunOS. That means the concepts are the same for many features including policies, zones, IPSEC VPN, IDS and UTM.

It seems that time and time again businesses and government agencies fail to do the basics to secure their IT infrastructure.

The recent US incident with HBGary shows how failing to do the basics can cost you dearly. See link for more details: http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-ins...

The main failings in this incident were:

After the adventures of the initial installation it's time to investigate how to manage the beast.

Management

You can manage via the built-in VMM Console which you can run on your Windows 7 or 2k8 server platform this provides a basic method of managing VM's. Creating a new VM was relatively easy all the usual options that you would expect when comparing to VMWare. Snapshots were no surprise either.

I will recount my experiences with Hyper-V so far.

The basic premise for using Hyper-V was based on cost as 8 Microsoft Server Licenses were included with a Hyper-V server. This is good however on a well spec'd box I should expect in excess of 16 virtual servers (2 x Quad Core CPU with appropriate RAM). So it will save some money but not all your MS licensing.

The hardware I built on is as follows:

• 2 x Xeon Quad Core
• 64GB RAM
• 2 x 74GB 15K RPM SAS Hardware RAID 1
• 4 x Broadcom Gigabit NICs

Everybody knows we need firewalls right? Yes we know about firewalls, we have one protecting us from the Internet.

That's a good start however have you considered the inside of your network?

Ask yourself these questions:

• Do your branch offices (WAN Network) directly route into your LAN?
• Can users access management interfaces i.e. iLO,DRAC or ALOM interfaces?
• Do wireless users connect directly to your LAN?
• Can anyone connect to your network from your meeting rooms?

One of the most frequent questions I am asked during training is "Is there an interface range command?"

This is mostly from people who are familiar with Cisco products. As of JunOS version 10.0 there is a range configuration command. Previously you would have to create an group and apply it to multiple interfaces.

Example:
Our example is applying 100m/full duplex and layer 2 operation to 10 interfaces.

I've made it easy by showing the set commands.

The old way:
user@host# set groups test interfaces ether-options speed 100