Sunday, January 21, 2018

Enable IDP on Juniper SRX Devices Managed by Juniper Space

1. License

Thursday, January 4, 2018

Gartner Magic Quadrant for SIEM Products (2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010)

Gartner defines SIEM as a technology that aggregates data produced by security devices, network infrastructure and systems, and applications. Products in the security information and event management (SIEM) market analyze security event data and network flow data in real time for internal and external threat management. They collect, store, analyze and report on log data for incident response, forensics and regulatory compliance. Vendors in this space are continually improving threat intelligence and security analytics. Companies are looking to adopt this technology in order to detect threats and breaches, and by compliance needs. Early breach discovery requires effective user activity, data access and application activity monitoring.

Companies placed by Gartner in the Leaders Quadrant have been the most successful in building an installed base and establishing a revenue stream from the SIEM market. Leaders also typically have a high share of the market and high revenue growth. They've also demonstrated superior vision and execution for emerging and anticipated requirements of the market. What's more, they've garnered positive customer feedback for their SIEM products, as well as service and support of those products. 

Four vendors are in Leaders quadrant: IBM, Splunk, LogRhythm, McAfee
Three vendors are in Visionaries: Rapid7, Securonix, Exabeam

Monday, January 1, 2018

Install and Configure Palo Alto VM in Vmware Workstation / ESXi

Palo Alto Networks has developed Virtualized Firewalls VM series to run in virtual environment. Here is the list for supported hypervisors from its website:
The VM-Series supports the exact same next-generation firewall and advanced threat prevention features available in our physical form factor appliances, allowing you to safely enable applications flowing into, and across your private, public and hybrid cloud computing environments.Automation features such as VM monitoring, dynamic address groups and a REST-based API allow you to proactively monitor VM changes dynamically feeding that context into security policies, thereby eliminating the policy lag that may occur when your VMs change.The VM-Series supports the following hypervisors:
  • VMWare ESXi and NSX
  • Citrix SDX,
  • KVM (Centos/RHEL)
  • Ubuntu
  • Amazon Web Services

There are four models for different requirements:
  • VM-100
  • VM-200
  • VM-300
  • VM-1000-HV

Saturday, December 9, 2017

Check Point 1100 SIP Configuration and Troubleshooting Dropped the packets due to "Violated Unidirectional Connection"

One request came up for a simple internet SIP connection to SIP provide Goldline. There are VoIP devices involved in this task, such as Cisco Router AS5350 and IP PBX, also Check Point 1100 firewall used to protect this connection.


Thursday, December 7, 2017

Cisco IOS Internet Key Exchange version 1 (IKEv1) Vulnerability and Fix

Cisco IKEv1 is still popular in VPN configuration. Most of my vpn configuration is based on IKE v1 although there are more demands for v2.  I had a post "Cisco Router IKE v2 Site to Site IPSec VPN Configuration" to quickly show what the difference is between v1 and v2, and how to do v2 configuration.  Recently some vulnerabilities scan tools raised a red flag to my IKE v1 configuration.


There is IKE v1 vulnerability found and it lists severity level high.

Monday, November 20, 2017

Cisco 3850 Mgmt VRF Configuration

Ethernet Management Interface VRF

New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet. This interface is isolated in its own VRF called "Mgmt-vrf'. Placing the management Ethernet interface in its own VRF has the following effects on the Management Ethernet interface:
  1. Many features must be configured or used inside the VRF, so the CLI may be different for certain Management Ethernet functions on other routers.
  2. Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface are automatically in different VRFs, no transit traffic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
  3. Improved security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the Management Ethernet interface if explicitly entered by a user.
  4. The Management Ethernet interface VRF supports both IPv4 and IPv6 address families.

Wednesday, November 15, 2017

Juniper SRX Commnit Error "No rulebase configured for active policy"

I have been dealing with Juniper SRX IDP error many times when NSM was been used. Mostly those errors are caused by corrupted signature DB or not enough storage space on SRX itself. Here is the latest one I encountered.

From Space, if I make a new change on firewall policy and push it to gateway, I will get following errors.

Sunday, November 5, 2017

Upgrade Cisco 4500 Switches IOS and ROMM and Failed to Enable VSS (Virtual Switching System)

In one of my clients environment, there are two Cisco 4510 running and HSRP has been configured. It has been discussed to upgrade it to VSS (Virtual Switching System) during last a couple of months. The main driven to get VSS is to have dual homed hosts run Etherchannel to connect to those two 4510R+E switches. Obviously converting the core switches to VSS (and having MEC - Multichassis EtherChannel - configured in dist/access switches) helps you to improve overall performance as both fabric will be active in VSS and traffic load-balanced. No more STP blocking port in the dist/access switches, while getting chassis-level redundancy.

There were a try to implement VSS but failed. All steps were recorded here to future reference since it is still working on. The Error messages show IOS version mismatch although both 4510R+E are having same IOS version:

*Oct 22 13:49:30.890: %C4K_REDUNDANCY-2-IOS_VERSION_CHECK_FAIL: STANDBY:IOS version mismatch. Active supervisor version is 15.2(2)E6 (cat4500es8-UNIVERSALK9-M). Standby supervisor version is 15.2(2)E6 (cat4500es8-UNIVERSALK9-M). Redundancy feature may not work as expected.

Virtual Switching System 1440
Compared to Traditional Network Design

High Availability Network Design
Simplified Using Virtual Switching System

NetSec Youtube Videos