Archive for August 2011

JUNOS AppSecure now on Branch SRXs

Friday, August 26, 2011

So application identification / firewall / secure has made it way to the branch. This is awesome news. So I have managed to obtain a 30 day trial to see how it performs on my home SRX100. With ym simple rule base I have seen 1ms increase in my latency!!

After adding the license you can now perform the following:

Install Application identification

request services application-identification download

Check the status:

  • request services application-identification download status
    Application package 1980 is installed successfully.

Create a Application Ruleset

All that is ahppening here is youtube is BLOCKED, everything else is allowed.

[plain]
set security application-firewall rule-sets block-webtraffic rule youtube match dynamic-application junos:YOUTUBE
set security application-firewall rule-sets block-webtraffic rule youtube then deny
set security application-firewall rule-sets block-webtraffic default-rule permit
[/plain]

Add to a security policy:

There is now the 'application-firewall' settings to apply to policies ...

cooper@noona-gw# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services ?
Possible completions:
> application-firewall  Application firewall services
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
gprs-gtp-profile     Specify GPRS Tunneling Protocol profile name
gprs-sctp-profile    Specify GPRS stream control protocol profile name
idp                  Intrusion detection and prevention
redirect-wx          Set WX redirection
reverse-redirect-wx  Set WX reverse redirection
> uac-policy           Enable unified access control enforcement of policy
utm-policy           Specify utm policy name

Example Policy:

[plain]
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services application-firewall rule-set block-webtraffic
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
[/plain]

TODO: Play with 'application-tracking'. Will update blog post once I have.

So it's that simple ... Application firewalling is now accross the whole SRX range ... win.

Tags: , , , , , , , , , ,
Posted in g33k, juniper | 2 Comments »

MiToken + Junos Two Factor Radius Authentication

Tuesday, August 16, 2011

Do you have Junos devices? If you do, excellent choice. Do you have MiToken? Once again, love your work there. If you don't have MiToken, it's a plug-in to the M$ IAS/NPS servers that allows mutiple types of hard and soft tokens to be used allowing secure OTPs with dual factor authentication with your Active Directory domain(s).

This post will guide you though configuring Junos to use MiToken for two factor authentiucation to help hardern your Junos devices.


For more information on MiToken visit mi-token.com.
This configuration has been tested with Junos11.1r3.5, Junos is a registered trademark of Juniper Networks.

Junos Device Config:

Now go jump into Junos configuration mode and set the following:

[text]
# Add radius to the password auth order
set system authentication-order radius

set system radius-server x.x.x.x port 1812
set system radius-server x.x.x.x secret "SECRET"
set system radius-server x.x.x.x timeout 10
set system radius-server x.x.x.x retry 2
set system radius-server x.x.x.x source-address x.x.x.x

# Block everyone access by default
set system login user remote full-name Radius-User
set system login user remote class unauthorized

# Create users who should get access
set system login user john full-name "John Smith"
set system login user john class super-user
[/text]

MiToken / NPS Configuration:

Now lets configure the MiToken side to accept radius packets from our Junos device(s). The only down side to MiToken is it runs on Windows :-(.

1) Define a Radius client in NPS


Right click on radius clients and choose 'New RADIUS Client'

2) Define a connection request policy


Set up your policy to identify your Junos devices ... For more information refer to the MiToken Admin guide.


This step is optional. You do not have to require Windows Authentication to be active - This would take you back to single factor OTP auth

3) Enable MiToken on the connection request policy for Junos devices

4)

Enjoy you radius dual factor authentication. Your auditors and boss will now love you. Hit them up for a raise.

5)

Send some praise Cooper's way 🙂

Tags: , , , , , , , , , ,
Posted in g33k, juniper | 1 Comment »