Sunday, September 24, 2017

Create AWS Diagrams Online

I was looking for some online tools to create impressive AWS diagram for my learning process. Most of online diagram websites provide certain free usages.

In my My Top Internet / Network Tools post, I mentioned following online diagram drawing websites which I used before:
  • Gliffy :After trial, it is still free to use, but not able to create a new diagram. Existing diagrams will still be kept for editing. Gliffy marks all diagrams as public when a trial expires. Any diagrams created would remain in the account. Diagrams always remain in the account regardless of the status. Gliffy never moves or deletes diagrams. Free account have a limit of 2MB or 5 diagrams, but usually it is enough since you export to gliffy format to import it later. 
  • Lucid Chart. It can import /export visio format file. Free account will limit complexity to only 60 objects, three active documents, 25mb of Storage, not able to edit imported visio files, etc. 
  • https://www.draw.io/ : it supports to save diagram to all kinds of Internet online drivers. 
  • http://asciiflow.com/
  • SmartDraw :  provides desktop version, not free. For Cloud , trial for only 7 days, no free usage. 
  • https://cloudcraft.co/ : Best for AWS diagrams. It also gives you a budget number for your AWS infrastructure. Please check this post.



Here are some good AWS diagram websites I found useful to me.

 

1. AWS 3D Diagram from Cloudcraft.co


It is quite impressive when I started to make my first diagram. Limit grid size is a big pain when you try to draw a detail diagram for your AWS VPC, but it is good enough to draw a three tier application deployment. 

Cloudcraft allows registered user to create AWS diagrams for free using all available components with some feature limited. Upgrade to Cloudcraft Pro for import of live AWS data and unlimited size diagrams. It can automatically calculate the cost for your design, and  also provides live connection to your AWS account. The smart components feature makes it much easier to connect other components you lay on the grid than any other websites I tried. Love it. So far, I think it is best site for me .

Monthly $49 can get your subscription to pro level to unlock those restrictions.


Building a 3S (Scalable, Stable and Secure) AWS Test Environment - Part 2


3.  Building a scalable AWS architecture (ELB, ASG, RDS)

  • Understand NAT Instance vs NAT Gateway
  • create your security groups
  • create your EC2 keypari
  • create your RDS SQL instance
  • Bake your amazon machine image
  • create your launch configuration
  • create your auto-scaling group
  • create your elastic load balancer
  • test, break, fix, celebrate
Understand NAT
You may need NAT for VPN. Two types NAT methods: NAT Instance and NAT Gateway

VPC: NAT Instance

Wednesday, September 20, 2017

My Top Internet / Network Tools

There are lots of useful sites which helps the troubleshooting procedures. I listed some common tools or websites used by myself. Please let me know what you are using and I would like to try them and add them into this list.
1. Internet/Network Tools Portal
2. Internet/Network Speed Test
3. IP Subnet Calculator
4. Network Monitoring Related
5. DNS and Domain Name Related
6. BGP Toolkit
7. Your Public IP Address
8. Online Diagram Drawing Sites
9. Snmp tools
10. HTTP and HTTPS Check Tools
11. Email Diagnostic Tools
12. Proxy Sites
13. Remote Support / Online Meeting
14. Remote (SSH / Telnet) Access Tools
15. NTP Server
16. Portable Software
17. Online PDF Tools

Wednesday, September 13, 2017

Building a 3S (Scalable, Stable and Secure) AWS Test Environment - Part 1

Gartner Magic Quadrant for Cloud Infrastructure as a Service, Worldwide June 2017
Gartner's Magic Quadrant
for Cloud Infrastructure as a Service,
Worldwide June 2017. 
According to Gartner, Amazon Web Services (AWS) has became as the undisputed leading cloud provider in the world. AWS is rated “the most mature, enterprise-ready provider, with the deepest capabilities for governing a large number of users and resources.” Gartner says it can satisfy the cool kids who want cloud-native and old hands who want to shift traditional workloads to the cloud, in part because independent software vendors have clambered aboard in large numbers.


AWS has a good documentation Quick Start deployment guide which present a good example to build a VPC environment with the following features:
  • Up to four Availability Zones for high availability and disaster recovery. Availability Zones are geographically distributed within a region and spaced for best insulation and stability in the event of a natural disaster. AWS recommends maximizing your use of Availability Zones to isolate a data center outage. 
  • Separate subnets for unique routing requirements. AWS recommends using public subnets for external-facing resources and private subnets for internal resources. For each Availability Zone, this Quick Start provisions one public subnet and one private subnet by default.
  • Additional layer of security. AWS recommends using network access control lists (ACLs) as firewalls to control inbound and outbound traffic at the subnet level. This Quick Start provides an option to create a network ACL protected subnet in each Availability Zone. These network ACLs provide individual controls that you can customize as a second layer of defense.
  • Independent routing tables configured for every private subnet to control the flow of traffic within and outside the Amazon VPC. The public subnets share a single routing table, because they all use the same Internet gateway as the sole route to communicate with the Internet.
  • Highly available NAT gateways, where supported, instead of NAT instances. NAT gateways offer major advantages in terms of deployment, availability, and maintenance.
  • Spare capacity for additional subnets, to support your environment as it grows or changes over time.


Monday, September 11, 2017

Cisco Router IKEv2 IPSec VPN Configuration

What is Differences between IKEv1 and IKE v2?
1. Different negotiation processes
− IKEv1
  • IKEv1 SA negotiation consists of two phases.
  • IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
  • IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
− IKEv2
  • Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

Friday, September 8, 2017

Juniper Space Security Director Policy Hit Counts Not Updated Automatically


Issue Symptons:
  • Normally, each firewall rule on the SRX auto-updates a snmp counter for hit-count, regardless of whether 'count' is configured or not.  Juniper Space Security Director periodically polls these OIDs and updates the hit-count.   
  • In Junper Space 16.1 R1, the issue found is unable to view policy hit counts from Juniper Space Security Director, but SRX itself is keep updating. 

Actions Taken:
  • Verify Security Appliance Policy Hits from Command line
root@fw-mgmt-2> show security policies hit-count 
node1:
--------------------------------------------------------------------------

Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       Vlan2              Vlan1        Baramondi_Monitor 0            
 2       Vlan2              Vlan1        10             4428         
 3       Vlan2              Vlan1        50             0            
 4       Vlan2              Vlan1        40             11136        
 5       Vlan2              Vlan1        default-logdrop 0            
 6       Vlan2              Vlan1        53             2007         
 7       Vlan2              Vlan1        54             0            
 8       Vlan2              Vlan1        55             0            
 9       Vlan2              MGMT              6              538          
 10      Vlan2              MGMT              23             0            
 11      Vlan2              MGMT              74             2            
 12      Vlan2              MGMT              default-logdrop 81           
 13      Office              Vlan1        default-logdrop 0            
 14      Office              Vlan1        60             447          
 15      Office              Vlan1        Office_Archive    0            
 16      Office              Vlan1        58             0            
 17      Office              Vlan1        Baramondi_Monitor-1 0            
 18      Office              MGMT              Office_Archive-1  0            
 19      Office              MGMT              default-logdrop 0            
 20      Vlan1       Vlan2               Baramondi_Rules 0            
 21      Vlan1       Vlan2               VA             0            
 22      Vlan1       Vlan2               A_Office_2_Vlan2    292          
 23      Vlan1       Vlan2               default-logdrop 1696         
 24      Vlan1       Office               VA-1           0            
 25      Vlan1       Office               Baramondi_Rules-1 0            
 26      Vlan1       Office               Device-Zone-1  0            
 27      Vlan1       Office               4              1299         
 28      Vlan1       Office               default-logdrop 0            
   ........


It is clearly there is hit counts on SRX itself, but they are not being pulled/pushed into Space. Log collecter has beenconfigured and it is receiving logs from this SRX.

Wednesday, September 6, 2017

Cisco IOS Command Tips and Tricks - Part 2

Cisco IOS command list is getting longer , and it has been split into two posts:

21. Auto secure

Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:

auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]


22. Change Site-to-Site VPN Idle time out to 5 minutes

For IOS Router

R1(config)#crypto ipsec security-association idle-time 300


For ASA

ASA1(config)#group-policy GP_1.1.1.2 attributes
ASA1(config-group-policy)#vpn-idle-timeout 300

ASA1(config-group-policy)#vpn-session-timeout none

Tuesday, September 5, 2017

Troubleshooting Cisco IPSec Site to Site VPN - "QM Rejected"

There was a VPN issue to troubleshoot recently. It was between Juniper SRX and Cisco Router. It seems straightforward but it took quite a long time to troubleshoot because of communication. All steps listed here for my future reference.

Some other related posts:

Diagram

1. Enabled Debugging on Cisco IOS Router

vpn-R1#debug crypto ipsec
Crypto IPSEC debugging is on

vpn-R1#debug crypto isakmp
Crypto ISAKMP debugging is on

vpn-R1#debug crypto engine
Crypto Engine debugging is on

vpn-R1#terminal monitor




NetSec Youtube Videos