Archive for the ‘g33k’ Category
So application identification / firewall / secure has made it way to the branch. This is awesome news. So I have managed to obtain a 30 day trial to see how it performs on my home SRX100. With ym simple rule base I have seen 1ms increase in my latency!!
After adding the license you can now perform the following:
Install Application identification
request services application-identification download
Check the status:
- request services application-identification download status
Application package 1980 is installed successfully.
Create a Application Ruleset
All that is ahppening here is youtube is BLOCKED, everything else is allowed.
[plain]
set security application-firewall rule-sets block-webtraffic rule youtube match dynamic-application junos:YOUTUBE
set security application-firewall rule-sets block-webtraffic rule youtube then deny
set security application-firewall rule-sets block-webtraffic default-rule permit
[/plain]
Add to a security policy:
There is now the 'application-firewall' settings to apply to policies ...
cooper@noona-gw# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services ?
Possible completions:
> application-firewall Application firewall services
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
gprs-gtp-profile Specify GPRS Tunneling Protocol profile name
gprs-sctp-profile Specify GPRS stream control protocol profile name
idp Intrusion detection and prevention
redirect-wx Set WX redirection
reverse-redirect-wx Set WX reverse redirection
> uac-policy Enable unified access control enforcement of policy
utm-policy Specify utm policy name
Example Policy:
[plain]
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services application-firewall rule-set block-webtraffic
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
[/plain]
TODO: Play with 'application-tracking'. Will update blog post once I have.
So it's that simple ... Application firewalling is now accross the whole SRX range ... win.
Tags: app, appfw, application, appqos, appsecure, apptrack, branch, firewall, junos, secure, srx
Posted in g33k, juniper |
Do you have Junos devices? If you do, excellent choice. Do you have MiToken? Once again, love your work there. If you don't have MiToken, it's a plug-in to the M$ IAS/NPS servers that allows mutiple types of hard and soft tokens to be used allowing secure OTPs with dual factor authentication with your Active Directory domain(s).
This post will guide you though configuring Junos to use MiToken for two factor authentiucation to help hardern your Junos devices.
For more information on MiToken visit mi-token.com.
This configuration has been tested with Junos11.1r3.5, Junos is a registered trademark of Juniper Networks.
Junos Device Config:
Now go jump into Junos configuration mode and set the following:
[text]
# Add radius to the password auth order
set system authentication-order radius
set system radius-server x.x.x.x port 1812
set system radius-server x.x.x.x secret "SECRET"
set system radius-server x.x.x.x timeout 10
set system radius-server x.x.x.x retry 2
set system radius-server x.x.x.x source-address x.x.x.x
# Block everyone access by default
set system login user remote full-name Radius-User
set system login user remote class unauthorized
# Create users who should get access
set system login user john full-name "John Smith"
set system login user john class super-user
[/text]
MiToken / NPS Configuration:
Now lets configure the MiToken side to accept radius packets from our Junos device(s). The only down side to MiToken is it runs on Windows :-(.
1) Define a Radius client in NPS
Right click on radius clients and choose 'New RADIUS Client'
2) Define a connection request policy
Set up your policy to identify your Junos devices ... For more information refer to the MiToken Admin guide.
This step is optional. You do not have to require Windows Authentication to be active - This would take you back to single factor OTP auth
3) Enable MiToken on the connection request policy for Junos devices
4)
Enjoy you radius dual factor authentication. Your auditors and boss will now love you. Hit them up for a raise.
5)
Send some praise Cooper's way 🙂
Tags: authentication, dual, ex, factor, junos, mi-token, mitoken, radius, router, srx, two
Posted in g33k, juniper |
32- and 64-bit PL2303 drivers for OS X 10.6 are available here.
You'll need to modify, as root, the '/System/Library/Extensions/ProlificUsbSerial.kext/Contents/Info.plist ' file after installing the driver to suit the USB manufacturer and device ID. For the ATEN UC232A, examples below appear to work for it (for me in 10.7).
To obtain the IDs, Wayne Roberts (who informed my via the SAGE-AU mailing lists), used 'USB Prober.app' which comes with the developer tools/XCode.
Modify the current lines of the XML:
[text]
# <key> can be the Hex values as 'Vendor'_'Product', Wayne thinks this is more cosmetic however.
<dict>
<key>0557_2008</key>
<dict>
----
# <idProduct> and <idVendor> should be the decimal of the respective values, as per USB Prober.app
<key>idProduct</key>
<integer>8200</integer>
<key>idVendor</key>
<integer>1367</integer>
[/text]
Once you've done this, either restart the machine or run 'kextunload' and 'kextload' on ProlificUsbSerial.kext and it should show up as /dev/tty.usbserial.
** If you have installed the UC232A Drivers, either rm or mv the 'UC-232AC.kext' before the reboot to avoid conflicts **
Tags: 107, aten, lion, mac, os, screen, serial, uc232a, usb, x
Posted in g33k, tech |
The new air is much better looking !
- Spaces (10.6) vs. Mission Control (10.7)
Tags: air, apple, mac, macbook, new, thunderbolt
Posted in g33k, work |
So a co-worker and I spent some time playing around with JunOS 11's (I believe it came in with 11 - correct me if wrong) reth's ability to now be LACP interfaces, as well as just plain redundant. It was not immediately clear how the switch was required to be set up in order to facilitate this new, awesome feature.
- This was used with a ex4200 virtual chassis cluster and SRX Chassis Cluster -
Here is how we got it happily working (assuming you have a chassis cluster up and running):
SRX Config:
set interfaces ge-2/0/0 gigether-options redundant-parent reth1
set interfaces ge-2/0/1 gigether-options redundant-parent reth1
set interfaces ge-2/0/2 gigether-options redundant-parent reth1
set interfaces ge-2/0/3 gigether-options redundant-parent reth1
set interfaces ge-11/0/0 gigether-options redundant-parent reth1
set interfaces ge-11/0/1 gigether-options redundant-parent reth1
set interfaces ge-11/0/2 gigether-options redundant-parent reth1
set interfaces ge-11/0/3 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive
EX Config:
set interfaces ge-0/0/0 ether-options 802.3ad ae1
set interfaces ge-0/0/1 ether-options 802.3ad ae2
set interfaces ge-0/0/2 ether-options 802.3ad ae1
set interfaces ge-0/0/3 ether-options 802.3ad ae2
set interfaces ge-1/0/0 ether-options 802.3ad ae2
set interfaces ge-1/0/1 ether-options 802.3ad ae1
set interfaces ge-1/0/2 ether-options 802.3ad ae2
set interfaces ge-1/0/3 ether-options 802.3ad ae1
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae2 aggregated-ether-options lacp active
Now we have LACP bandwidth and redundancy - Either the switch or SRX can die, in theory.
* Have not tested the failover yet - But will before this set up goes to production - Will update the post *
Tags: australia, chassis, cluster, ex, firewall, ict, junos, lacp, networks, north, redundant, reth, router, srx, switch, sydney, virtual
Posted in g33k, juniper |
Ever wondered why 3G from Vodaphone is so crap? I did, so from Central station I did a ping test on each network one after another. Here is the difference between the latency to an AARNET connected host @ ANSTO. The results speak for themselves.
Vodaphone:
--- 137.157.8.5 ping statistics ---10 packets transmitted, 10 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 97.773/663.878/1901.235/612.384 ms
Telstra:
--- 137.157.8.5 ping statistics ---10 packets transmitted, 10 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 88.699/96.234/141.846/15.256 ms
I think Telstra is worth the extra money ...
Tags: 3g, latency, ping, shit, telstra, vodaphone
Posted in g33k |
I think the plastic clips would hurt ...
Yes, you are looking at a flogger crafted from cat-5 wiring. (Internet cable, in other words.) It sports a D-ring for easy hanging. This will satisfy your inner - or outer! - geek for sure. 🙂 Each tip is firmly wired in place and secured with bonding glue. Packs quite a sting, and will leave such distinct marks! This baby is bound to make your sub /beg.
Source: esty.com
Posted in g33k, humour |
Want mplayer2 (the newer fork of mplayer) that uses ffmpeg goodness to play all the latest avi's with funky codecs and mp4 hidef goodness. Some Openindiana contributors are building a lot of friendly packages in the oi-sfe repo.
[plain]
sudo pkg set-authority -O http://staticdev.uk.openindiana.org:10002 oi-sfe
sudo pkg refresh --full
sudo pkg install SFEmplayer2 SFEgccruntime
[/plain]
P.S. Need to manually install SFEgccruntime as it was a forgotten dependency - This will be fixed I have been informed.
P.P.S - ALSO I have only tested and is only expect to work on OI_148
Tags: 11, mplayer, mplayer2, openindiana, opensolaris, sfe, utilities
Posted in g33k, solaris |
I love ipadm. It rocks. Much needed for Solaris and derivatives. I seem to keep forgetting the dam new ipadm commands tho. So I wrote this script to help me set up new Solaris machines and thought I would share.
[bash]
#!/usr/bin/bash
INTERFACE=$1
ADDRESS=$2
GATEWAY=$3
V6AUTO=1
errorCheck()
{
if [ $? -ne 0 ]; then
echo "ERROR: $@"
exit 69
fi
}
# Handle Args
if [ $# -ne 3 ]; then
echo "ERROR: Invalid arguments"
echo "Usage:nt$0: INTERFACE ADDRESS/CIDR-MASK GATEWAY/DEFAULTROUTER"
exit 1
fi
ipadm create-if $INTERFACE
errorCheck "Unable to create-if $INTERFACE"
ipadm create-addr -T static -a local=${ADDRESS} ${INTERFACE}/v4static
errorCheck "Unable to set static v4 on $INTERFACE"
if [ $V6AUTO -ne 0 ]; then
ipadm create-addr -T addrconf ${INTERFACE}/v6addr
errorCheck "Unable to set v6 autoconf on $INTERFACE"
fi
if [ $GATEWAY != "" ]; then
route add default $GATEWAY
errorCheck "Unable to set default router to $GATEWAY"
else
echo "!--> Not setting gateway as none was set ..."
fi
echo "--> Finished setting $ADDRESS on $INTERFACE with $GATEWAY default route ..."
[/bash]
Tags: ipadm, ipv4, ipv6, openindiana, opensolaris
Posted in g33k, solaris |
"What is that? Can you mute it?"
[youtube https://www.youtube.com/watch?v=iE7AaTVMXA0&w=480&h=390]
"It dosen't do that."
Tags: lecture, old, school, typewriter
Posted in humour |
