Tag Archives: Security

Read it, then try it—with Juniper vLabs

Juniper vLabs is a web-based platform that lets you try out Juniper products and features at any time, in a no-risk environment. Leveraging the vMX, vQFX, and vSRX product lines, vLabs provide a variety of standalone devices and preset topologies. Reservable in advance or on-demand, vLabs are free to access and open to everyone.

Juniper vLabs takes a “read-it-then-try-it” approach to learning. This offering guides you from product and solutions documentation to a live environment where you can get hands-on experience.

Enter Juniper vLabs.

 

https://youtu.be/Zt5fiVhNgFQ

IP Express Consulting

If you are looking for consulting services for your projects, upgrade, or suggestions, contact me.

 

Network Design:
  • Internet connectivity
  • DataCenter/Campus architecture
  • Internet edge connectivity
  • Advanced IP routing environments
  • Device management and monitoring
  • Public Cloud (Azure/AWS/Google)
Security solutions
  • Network Device hardening
  • DMZ design and deployment
  • Firewall configuration review
  • Remote-access VPN deployments
  • PKI
Writing
  • Technical papers
  • Whitepapers
  • Network documentation
  • Templating
  • Network/Security Assessment

If you want receive a sample of my work contact me

Your Name (required)

Your Email (required)

Subject

Your Message


Juniper Networks Certified Expert Data Center (JNCIE-DC) Open for Registration

At the pinnacle of the Data Center certification track is the 1-day JNCIE-DC practical exam. This exam is designed to validate the networking professionals’ ability to deploy, configure, manage, and troubleshoot Junos-based platforms. Throughout this 8-hour practical exam, candidates will build a data center network consisting of multiple MX Series and QFX Series devices. Successful candidates will perform system configuration on all devices including management capabilities, a Clos IP fabric, EVPN/VXVLAN, DCI, and CoS features.

The JNCIE-DC is valid for three years. Recertification is achieved by passing the current version of the JNCIP-DC exam or by attending a corresponding course.

Exam Overview

Exam code: JPR-980

Lab Exam (Hands-on Lab)

Held at selected Juniper Networks testing centers

Exam length: 8 hours

Prerequisite certification: JNCIP-DC

The lab will be available 3 April 2017

Junos Software Release:

  • MX80 3D Universal Edge Router: 16.1
  • QFX5100 Ethernet Switch: 14.1
  • vMX 3D Universal Edge Router: 15.1
  • vSRX Services Gateway: 12.1

Topics for the Exam

    Management

  • On-box Scripts
    • Event scripts
    • Commit scripts
    • Operation scripts
  • Junos Space
    • Auto discover
    • Configuration management
  • ZTP
    • Initial provisioning of QFX switches using a CentOS DHCP server
  • NETCONF

   Layer 2 Underlay

  • VCF configurations
    • Master and backup RE
    • Inactive state VCF member
    • VCP port setup
  • Convert interface speed
    • 40G to 4x10G
  • MC-LAG
    • Interchassis link (ICL) redundancy
    • IRB MAC Sync
    • Layer 3 gateway function
    • ICCP

Layer 3 Underlay

  • BGP for an IP Clos fabric
    • Clos IP fabric
    • Loopback interface for routing updates
    • EBGP in an IP fabric
    • Avoid blackholing traffic
    • Routing policies

    Controllerless Overlay

  • EVPN control plane
    • EVPN signaling
    • EVPN routes
    • VNI target communities
    • Prevent suboptimal routing
    • Inter-VRF routing
    • Automatic route-target
    • Load balancing
    • Anycast Gateway
  • EVPN/VXLAN
    • Virtual tunnel end point function
    • VXLAN learning process
    • MAC address learning
    • Passing traffic between VNIs

    Data Center Interconnect (DCI)

  • DCI
    • EVPN signaled VXLAN
    • L3VPN implementation
    • EVPN MPLS

    Security

  • Control plane protection
    • Firewall filters
    • Role-base access control (RBAC)
  • SRX Series device as a gateway
    • Security zones
    • Security policies

    Class of Service (CoS)

  • CoS features
    • Loss priority
    • Rewrite rules
    • Shaping and policing
    • Scheduling
    • BA and MF classification
    • Drop profiles
    • Traffic control profiles

I took the F5 101v2-Application Delivery Fundamentals beta exam

I was a guinea pig for F5 101v2 beta and i did it well i guess. After answer 140 questions in 150 minutes + extension of 30 minutes (not english native, but was not necessary) the hard part of this was review all my answers, yes again 140! I didn´t find this hard as mention by other guys who did the 101v1. After you submit the exam you can comment the questions (no chance to change answers at this point), personally i did it to give the F5 Team my understanding of what they can improve! But they could give the cert away for the guys who passed this exam, yes it´s Christmas! :)

And yes, against other exams you can go back and forwarded!

All 5 sections have the same score, so i got 75%

I wrote a post about my Study Notes for this exam so check it out!

This exam is one of the pre-requirements for the Exam 201 – TMOS Administration to achieve the F5 BIG-IP Certified Administrator

F5_CertificationTrainingTrack_2014

And even virtually i have my logo!

f5_101v2_ADF

Study Notes for F5 101v2-Application Delivery Fundamentals exam

As i said before i got an opportunity to test my knowledge (101v2 beta) and off course learn more about F5 ADC and other stuff. The information you need to learn is published in the official Blueprint Application Delivery Fundamentals. This new version will be available on Q1 2015.

F5 doesn´t have any guide (book,etc) like most of the vendors have, so you need to do it by your self. But i found a nice compilation did by Philip Jönsson (direct link) and another one by Rich Hill

A good tool is F5 University where you have free WBTs of LTM&APM (and more!!!), and hands-on on a virtual lab (code 10.x and 11.x). I think the most important are:

Getting Started with BIG-IP: Part 1 – Administration

Getting Started with BIG-IP: Part 2 – Application Delivery

Getting Started with BIG-IP Access Policy Manager (APM)

Getting Started with BIG-IP LTM: Part 1 – High Availability and Traffic Processing

Getting Started with BIG-IP LTM: Part 2 – iRules and Accelerating Traffic

Viprion Basics

HTTP Basics I

HTTP Basics II

A few facts:

  • The exam is based on 11.4.0 code
  • Exam cost 105 euros + VAT
  • The exam 101v2 will have 80 questions (70 scored and 10 unscored), and a minimum of 69% to pass it
  • Pre-requirement to go to the next level Exam 201 – TMOS Administration and be a F5 Certified BIG-IP Administrator (F5-CA)
  • All questions are scored equally
  • Passing the exam will be valid for 2 years
  • Most people agree that the v2 practice exam is much harder than the v1 production exam (mostly because of the number of questions).

I took the followed information from http://veritablenetworks.blogspot.pt/(Rich Hill) and change a few things for the renewed exam (101v2).

You can download my personal notes here.

Section 1 – OSI

Most of this information is common knowledge in the networking industry, but you probably don´t a few things especially when you get to the application layer protocols (sorry if i undervalue you!). The Wikipedia articles play a big role here, and yes Wikipedia Rulez!

  • Objective 1.01 – Explain, compare and contrast the OSI layers

OSI Model Wiki
Another OSI Model Overview

  • Objective 1.02 – Explain protocols and technologies specific to the data-link layer

Explain the purpose of a switch’s forwarding database
ARP
ARP on F5
MAC Address
Broadcast Domain
VLANs
Link Aggregation Wiki
Big IP Link Aggregation

  • Objective 1.03 – Explain protocols and apply technologies specific to the network layer

Routing on F5
TCP/IP Overview
IP Addressing & Subnetting
Routing Protocols
IP Packet Fragmentation
IP TTL (Time to Live)

  • Objective 1.04 – Explain the features and functionality of protocols and technologies specific to the transport layer

MTU / MSS
TCP Functionality
UDP Functionality
TCP Connection Setup by Virtual Server Type
TCP Profile Settings (Tunables)
UDP Profile Settings (Tunables)
TCPDUMP on F5
Retransmissions
Functionality of ports in general
Process of a reset

  • Objective 1.05 – Explain the features and functionality of protocols and technologies specific to the application layer

Application Layer Traffic Managment on F5
HTTP Functionality
HTTP Status Codes
HTTP Headers
F5 HTTP White Paper
DNS Functionality
DNS Record Types
SIP Functionality
F5 SIP White Paper
FTP Functionality
SMTP Functionality
HTTP Cookies
My Name is URL

Section 2 – F5 Solutions and Technology

In this section, we get into the actual F5 Solutions. Most engineers taking this exam will be experienced with LTM and iRules, but little else. Hopefully, the familiarity gained from the F5 datasheets and white papers shown below will help you to understand the breadth of the F5 offerings. Prepare to take the first step into a larger world.

  • Objective 2.01 – Articulate the role of F5 products

Access Policy Manager (APM)
Application Security Manager (ASM)
Local Traffic Manager (LTM)
Global Traffic Manager (GTM)
Enterprise Manager
BIG-IQ and ADN Management
F5 White Papers
F5 Datasheets

  • Objective 2.02 – Explain the purpose, use and advantages of iRules

iRule Wiki (Requires Devcentral Login)

  • Objective 2.03 – Explain the purpose, use and advantages of iApps

iApp Wiki (Requires Devcentral Login)

  • Objective 2.05 – Explain the purpose of and use cases for full proxy and packet forwarding/packet based architectures

Full Proxy Architecture (Lori MacVittie rules!)
Packet-Based vs Full Proxy
SNAT
Virtual Server Types

  • Objective 2.06 – Explain the advantages and configurations of high availability (HA)

F5 HA Basics
Config Sync
Big IP HA Features
Mirroring
VLAN Failsafe

Section 3 – Load Balancing Essentials

This section is a short one compared to the previous two. If you’re going after an F5 certification, you’re probably already familiar with much of this material, so you probably won’t have to study as much for this section. It never hurts to brush up on the algorithms and persistence methods.

  • Objective 3.01 – Discuss the purpose of, use cases for, and key considerations related to load balancing

Load Balancing Wiki
Load Balancing 101
Load Balancing Algorithms (Devcentral)
More on Load Balancing Algorithms
Another Load Balancing Algorithm Article
Yet Another Load Balancing Algorithm Article
Persistence

  • Objective 3.02 – Differentiate between a client and a server

Client / Server on Wiki – Yes, I’m surprised this is even a question.

Section 4 – Security

  • Objective 4.01 – Compare and contrast positive and negative security models

Positive Security Model
Positive vs Negative Security

  • Objective 4.02 – Explain the purpose and cryptographic services

Cryptography
SSL Certificates (Devcentral)
Certificate Chains
Public-Key Cryptography
Symmetric vs Asymmetric Encryption
Client SSL Profiles
Server SSL Profiles
SSLDUMP Utility

  • Objective 4.03 – Describe the purpose and advantages of authentication

F5 Authentication 101
AAA
Single Sign On
Multi-factor Authentication

  • Objective 4.04 – Describe the purpose, advantages and use cases of IPsec and SSL VPN

SSL VPN
IPsec VPN
IPSEC vs SSL VPN

Section 5 – Application Delivery Platforms

  • Objective 5.01 – Describe the purpose, advantages, use cases, and challenges associated with hardware-based application delivery platforms and virtual machines

Virtualization
Virtualization Platforms

  • Objective 5.02 – Describe the purpose of the various types of advanced acceleration techniques.

Application Performance Optimization
TCP Optimization
Oneconnect
Caching
Compression
Pipelining
Acceleration 101

This is everything you need to know, but try learn deep something more!

References:

BIG-IP LTM 11.4.0 Documentation

Exam 101 – Application Delivery Fundamentals

Exam 201 – TMOS Administration

F5 Certification Program

JunOS Cup 2014 Game Over

Foi sem duvida um desafio interessante, e estive muito perto de algumas das soluções propostas pela Juniper :). Sem duvida que algumns dos desafios eram mesmo tricky!

Resumindo ganhei um voucher para uma certificação e 25 VM units para usar no Junosphere. De qualquer forma parabéns aos vencedores!

Estas foram as Flags ganhas no torneio, para um principiante em Juniper nada mau :)

Update 17 Julho 2014

Foram classificados 3 vencedores com o mesmo numero de pontos, entre eles estava um Português. O desafio final Antarctica (Type: Enterprise Difficulty: High) foi decisivo para encontrar  o vencedor.

Tournament #1  Junos Cup Challenges
Country Flag Challenge Type/Difficulty I GOT IT :)
ho
Honduras
Internet over a MPLS-free Core Service Provider/Medium
ni
Russia
MPLS BGP Traffic Drop Service Provider/Hard
sk
South Korea
IPTV over Circuit Cross-Connects Service Provider/Hard
bh
Bosnia and Herzegovina
The Erratic Default Gateway Enterprise/Medium  Ok-icon
sw
Switzerland
Aggregated Ethernet Failover Enterprise/Medium  Ok-icon
us
USA
The Flapping Ping Enterprise, Hard
gr
Greece
IPSEC VPN #1 Security/Medium  Ok-icon
ar
Argentina
The Reacting Probe Automation/Medium  Ok-icon
Tournament #2
 ca
Cameroon
MPLS BGP & FIB Scaling Service Provider/Medium
en
England
Reverse Engineering Saga Episode 2 – The Broken IGP Service Provider/Medium
ir
Iran
LDP with Tagged Traceroute Service Provider/Hard
sp
Spain
Traffic Engineering Constraints Service Provider/Hard
ur
Uruguay
Ping on Virtual Routers Enterprise/Medium  Ok-icon
ja
Japan
Bridging with Virtual Switches Enterprise/Medium  Ok-icon
ru
Netherlands
SRX Network Address Translation #1 Security/Hard  Ok-icon
br
Brazil
The Obscure CLI Provisioning Automation/Hard
Tournament #3
po
Portugal
End-to-End Class of Service Service Provider/Hard
ch
Chile
Reverse Engineering Saga, Episode 3 –  The Strange BGP Service Provider/Medium
fr
France
Seamless MPLS Service Provider/Hard
me
Mexico
Displaying Remote MAC Address Enterprise/Medium  Ok-icon
ci
Ivory Coast
OSPF on L3VPN Customized Connectivity Service Provider/Hard  Ok-icon
co
Colombia
OSPF Topology Convergence Enterprise/Hard
it
Italy
SRX Network Address Translation #2 Security/Medium
cr
Costa Rica
The Remote Task Execution Automation/Medium  Ok-icon
Tournament #4
be
Belgium
BGP Multicast VPN Service Provider/Medium
cr2
Croatia
Reverse Engineer Saga, Episode 4 – The Puzzling MPLS Service Provider/Medium
ni2
Nigeria
Tuning LSP Choice in L3VPN Service Provider/Hard
ec
Ecuador
Class of Service at Egress L3VPN PE Service Provider/Hard
al
Algeria
One-Hop Ping Enterprise/Medium
gh
Ghana
Ping on Aggregated Ethernet Enterprise/Hard
ge
Germany
Inter-Instance Flows Enterprise/Hard
au
Australia
IPSEC VPN #2 Security/Hard

Juniper Certificações Junho 2013

A pirâmide da Juniper Networks Certification Program (JNCP) divide-se em 4 níveis, sendo que o nível JNCIA, o básico. Este pretende introduzir aos Network Engineers as foundations de como operar/gerir as plataformas Juniper. O JNCP está divido em 3 tracks essencialmente mas existem algumas certificações relacionadas exclusivamente com produtos Juniper.

 

juniper-certification-levels

Há data de hoje, as tracks são as seguintes:

Level Junos Tracks
Enterprise Routing
& Switching
Junos Security Service Provider Routing
& Switching
JNCIE JNCIE-ENT JNCIE-SEC JNCIE-SP
JNCIP JNCIP-ENT JNCIP-SEC JNCIP-SP
JNCIS JNCIS-ENT JNCIS-SEC JNCIS-SP
JNCIA JNCIA-Junos JNCIA-Junos JNCIA-Junos

Foram recentemente introduzidas as Tracks específicas de Suporte:

Level Junos Support Tracks
Enterprise Routing
& Switching Support
Junos Security Support Service Provider Routing
& Switching Support
JNCSP JNCSP-ENT JNCSP-SEC JNCSP-SP

 

O JNCP disponibiliza algumas tracks orientadas exclusivamente ao produto, estas são:

Level Product and Technology Tracks
E-Series Firewall/ VPN IDP Junos Pulse
Access Control
Junos Pulse
Secure Access
QFabric Wireless
LAN
WX Series
JNCIE
JNCIP JNCIP-E
JNCIS JNCIS-E JNCIS-FWV JNCIS-AC JNCIS-SA JNCIS-QF JNCIS-WLAN
JNCIA JNCIA-E JNCIA-IDP JNCIA-WX

Este é sempre o dilema de qualquer Network Engineer independentemente do seu role (Arquitectura/Design/Suporte/..), de “quando renovar a minha certificação”? A semelhança de outros fabricantes é possível renovar de uma forma inteligente, mas fazendo o próximo nível ficando assim com as anteriores válidas. Esta é também a forma de a Juniper (ou qualquer vendor) “empurrar” para o topo da pirâmide. No JNCP a validade de qualquer certificação é de 2 anos.

A grande diferença por exemplo da Cisco neste capitulo é que para renovar por exemplo o JNCIE independentemente da track é necessário renovar o JNCIP da mesma track. Aqui a Cisco usa uma metodologia diferente pelo que para renovar o CCIE em qualquer track basta efetuar por exemplo um segundo CCIE Wrriten/ e ou Lab de outro track, ou efetuar o exame Written especifico de renovação.

Não é possível realizar diretamente o JNCIE, pelo que será necessário adquirir as certificações intermédias até ao topo da pirâmide (JNCIE).

Status possíveis da certificação:

Status Timeframe Eligibilities
Active Two Years
  • Eligible for all benefits
  • Qualify under the Partner certification compliance requirements
Inactive One year following the Active period
  • Can be recertified
  • Are not eligible for benefits
  • Do not qualify under the Partner certification compliance requirements
  • Can still be used to fulfill prerequisite requirements for written exams
  • Cannot be used to fulfill prerequisite requirements for JNCP Lab Exams
Expired At the end of the Inactive period
  • Cannot be recertified
  • Are not eligible for benefits
  • Do not qualify under the Partner certification compliance requirements
  • Cannot be used to fulfill any prerequisite requirements
  • Candidates with an expired certification must start again at the bottom of that certification track

Renovações e respetiva correspondência:

Certification Level Renew by Maintaining Certification Level Renew by Advancing Certification Level
JNCIA Pass the current JNCIA exam in the same certification track Pass the current JNCIS exam in the same certification track
JNCIS Pass the current JNCIS exam in the same certification track Pass the current JNCIP exam in the same certification track
JNCIP Pass the current JNCIP exam in the same certification track Pass the current JNCIE Lab Exam in the same certification track
JNCIP-E Pass the current JNCIS-E exam N/A
JNCIE Pass the current JNCIP exam in the same certification track N/A

Update Exames CCNP Security

A certificação CCNP Security da Cisco será renovada em breve com uma nova estrutura, consultar o link CCNP Security para mais detalhes

 

Required Exam(s) Recommended Training Required Exam(s) Recommended Training
642-637 SECURE v1.0
Last day to test April 21, 2014
Secure v1.0 Securing Networks with Cisco Routers and Switches (SECURE v1.0) 300-208 SISAS Implementing Cisco  Secure Access Solutions (SISAS)

642-627 IPS v7.0
Last day to test April 21, 2014

Implementing Cisco Intrusion Prevention System v7.0 (IPS v7.0) 300-207 SITCS Implementing Cisco Edge Network Security  Solutions  (SITCS)
642-618 FIREWALL v2.0
Last day to test April 21, 2014
Deploying Cisco ASA Firewall Solutions (FIREWALL  v2.0) 300-206 SENSS Implementing Cisco Secure Mobility Solutions  (SENSS)
642-648 VPN v2.0
Last day to test April 21, 2014
Deploying Cisco ASA VPN Solutions (VPN v2.0) 300-209 SIMOS Implementing Cisco Threat Control Solutions (SIMOS)

 

As apresentações sobre os novos exames no Cisco Live Milan 2014:

BRKCRT-2203 – Implementing Cisco Secure Access Solutions – Preparing for the SISAS Exam

BRKCRT-2211 – Title: BRKCRT-2211 Implementing Cisco Threat Control Solutions – Preparing for the SITCS Exam

BRKCRT-2204 – Implementing Cisco Edge Network Security Solutions – Preparing for the SENSS Exam

BRKCRT-2205 – Implementing Cisco Secure Mobility Solutions – Preparing for the SIMOS Exam

Notas Unicast Reverse Path Forwarding (uRPF)

O uRPF permitir analisar a Source IP do pacote e decidir se faz forwading ou Drop do mesmo com base no método definido. Esta funcionalidade permite limitar o DDoS com base em Spoof Address. Para examinar o Source IP dos pacotes no incoming interface ativa-se o Reverse-Path-Forwarding (uRPF) através do comando ip verify unicast source reachable-via { rx  |  any } [allow-default] [allow-self-ping] [ list] ( O CEF deverá estar ativo para o uRPF funcionar).

Os pacotes podem ser examinados de 2 formas:

  • Strict RPF – Usando o parâmetro rx, o router verifica através do rouitng se a interface de outgoing será a mesma por onde foram recebidos os pacotes. Caso crontrário os pacotes são descartados.
  • Loose RPF — Usando o parâmetro any, o router verifica de existe alguma rota que seja possível usar para chegar ao source IP.

O comando ignora a default route quando efetua a análise (by default), para incluir a default route na análise deve ser incluido o parâmetro allow-default.

Uma das preocupações podem ser os flows assimétricos , aquando da implementação desta feature, o Loose mode e uma opção escalável para redes com asymmetric routing paths.

Exemplos:

Ligações:

(192.168.10.0/24)R2-f0/1——-f0/0-R3(spoof-address Loop10)

Exemplo 1:

Spoofing Address Source 192.168.10.0/24

R2(config)#
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.20.2 255.255.255.0
ip verify unicast source reachable-via rx
!
ip route 0.0.0.0 0.0.0.0 192.168.20.1

R3(config)#
ip route 0.0.0.0 0.0.0.0 192.168.20.2

interface loop10
desc spoof address
ip address 192.168.10.1 255.255.255.0

interface loop11
ip address 1.1.1.1 255.255.255.0

interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0

R3(config)#do ping 10.10.10.10 source loop10 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
..
Success rate is 0 percent (0/2)

R2#sh ip traffic
IP statistics:

Drop: 1982 encapsulation failed, 0 unresolved, 0 no adjacency
9 no route, 2 unicast RPF, 0 forced drop
0 options denied

R2#sh ip int f0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes

IP verify source reachable-via RX
2 verification drops

Exemplo 2:
Excluir redes do uRPF check usando uma ACL

R2(config)#

access-list 10 permit 1.1.1.0 0.0.0.255

interface FastEthernet0/1
no ip verify unicast source reachable-via rx
ip verify unicast source reachable-via rx 10

R3(config)#
no interface loopback10

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 30/40/49 ms

Exemplo 3:

Permitir que as qualquer source (default route) seja permitida nos check dos uRPF

R3(config)#

interface FastEthernet0/1
no ip verify unicast source reachable-via rx 10
ip verify unicast source reachable-via rx

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
..
Success rate is 0 percent (0/2)

!Permitir o Default Route no uRPF, caso nao exista nenhuma rota especifica

R2(config)#

interface FastEthernet0/1
ip verify unicast source reachable-via rx allow-default

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 40/46/52 ms

R2#sh ip int f0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes

IP verify source reachable-via RX, allow default
4 verification drops

Notas IP Source Guard

O IP Source Guard garante que o tráfego ingress num porta L2 é originada por um host legitimo, permitindo assim garantir a legitimidade do tráfego originado. Esta feature usa o DHCP snooping e static IP binding para fazer match dos IPs nas portas L2 untrusted.
Inicialmente todo o tráfego é bloqueado excepto os pacotes DHCP. Após um cliente receber o IP via DHCP ou através de uma entrada static, todo o tráfego e autorizado.

Sintaxe:

Router(config)# ip dhcp snooping
Router(config)# ip dhcp snooping vlan number [number]
Router(config)# interface interface-name
Router(config-if)# no ip dhcp snooping trust
Router(config-if)# ip verify source vlan dhcp-snooping
Router(config)# ip source binding mac-address vlan vlan-id ip-address interface interface-name

Exemplo:

Configurar a interface F1/6 em switch port access na VLan 10 e activar o IP Source Guard
Router(config)# ip dhcp snooping
Router(config)# ip dhcp snooping vlan 10 20
Router(config)# interface fa6/1
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 10
Router(config-if)# no ip dhcp snooping trust
Router(config-if)# ip verify source vlan dhcp-snooping

Router# show ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address     Vlan

———       ———–  –    ———-     —————         ————–       ———

fa6/1            ip                   active       10.0.0.1                                                  10

fa6/1            ip                   active       deny-all                                                  11-20

fa6/2            ip                   inactive-trust-port

fa6/3            ip                   inactive-no-snooping-vlan

fa6/4            ip                   active       10.0.0.2         aaaa.bbbb.cccc               10

fa6/4            ip                   active       11.0.0.1         aaaa.bbbb.cccd               11

Junos Fundamentals Day One

A Juniper disponibiliza uma série de Books sobre Junos, apelidou-os de Day One. Pretende dar conhecer as potencialidades do Junos OS aos novos utilizadores ganhando assim conhecimento suficiente para configurar e gerir este tipo de equipamentos.

Esta série Junos Fundamentals inclui:

Hardening Junos Devices

 

Juniper Networks takes the security of its products very seriously and has created proven processes and procedures following industry best practices. This Week: Hardening Junos Devices divides Juniper’s hardening procedures into four topic areas – Non-Technical, Physical Security, Operating System Security, and Configuration Hardening – and delves into sample strategies, example configurations, and dozens of suggestions and useful tips for each.

Learn more

Configuring Junos Policies and Firewall Filters

 

Control routing information and influence packet flow through your Juniper Networks router or switch by mastering the primary building blocks of Junos policy, firewall filters, and policers.

Learn more

Deploying Basic QoS

Build upon a basic model of QoS behaviors with the levers and knobs that Junos can use to influence each of those behaviors.

Learn more

Junos Tips, Techniques, and Templates 2011

Here’s a Junos tips and tricks book that’s meant to be browsed with a terminal open to your favorite Junos device so you can try each and every technique.

Learn more

Securing the Routing Engine on M, MX, and T Series

Learn how to secure the routing engine step-by-step, then build a modular firewall filter and apply it.

Learn more

Exploring the Junos CLI

Learn about new tools, shortcuts and safeguards and save yourself hours at the keyboard.

Learn more

Configuring Junos Basics

 

Learn how to configure the base settings of your router, switch or security device.

Learn more

Monitoring and Troubleshooting

 

Learn how to monitor your network and troubleshoot events in Junos.

Learn more

Referências:

Junos Fundamentals

Cisco anúncia oficialmente CCIE Security V4

A Cisco anúnciou oficialmente a nova versão do CCIE Security V4 após alguns rumores em blogs. Quem tiver o Exame Written agendado até 16 Novembro 2012 deverá continuar a guiar-se pela V3 posteriormente a esta data devem usar nova versão.

Esta nova versão tem alterações consideráveis como:
Cisco Secure ACS 5.X, Cisco Identity Service Engine ISE) 1.X, ISR G2 , 3750-X switch , ASA 8.4.x / 8.6.x  , WLC 2500 , Aironet APs, etc

Lista Hardware:

  • Cisco 3800 Series Integrated Services Routers (ISR)
  • Cisco 1800 Series Integrated Services Routers (ISR)
  • Cisco 2900 Series Integrated Services Routers (ISR G2)
  • Cisco Catalyst 3560-24TS Series Switches
  • Cisco Catalyst 3750-X Series Switches
  • Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances
  • Cisco IPS Series 4200 Intrusion Prevention System sensors
  • Cisco S-series Web Security Appliance
  • Cisco ISE 3300 Series Identity Services Engine
  • Cisco WLC 2500 Series Wireless LAN Controller
  • Cisco Aironet 1200 Series Wireless Access Point
  • Cisco IP Phone 7900 Series
  • Cisco Secure Access Control System 5X

Lista Software:

  • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
  • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE
  • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
  • Cisco IPS Software Release 7.x
  • Cisco VPN Client Software for Windows, Release 5.x
  • Cisco Secure ACS System software version 5.x
  • Cisco WLC 2500 Series software 7.x
  • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
  • Cisco WSA S-series software version 7.x
  • Cisco ISE 3300 series software version 1.x.

Poderá encontrar mais detalhes em:

CCIE Security—News & Announcements

https://learningnetwork.cisco.com/docs/DOC-4324

CCIE Security Written Exam Topics v4.0

https://learningnetwork.cisco.com/docs/DOC-15248

CCIE Security Lab Exam Topics v4.0

https://learningnetwork.cisco.com/docs/DOC-15289

CCIE Security Lab Exam v4.0 Checklist

https://learningnetwork.cisco.com/docs/DOC-15291

CCIE Security Lab Equipment and Software v4.0

https://learningnetwork.cisco.com/docs/DOC-15257

Update Curriculo CCNA e CCNP Security

Ambos os cursos foram actualizados para incluir os últimos produtos e melhores prácticas do mercado.

O que existe de Novo:

  • Update do curriculo incluindo as versões de Software 8.3 e 8.4 do Cisco ASA
  • Focus adicional no Cisco AnyConnect 3.0 e tradicionais Clientes IPsec
  • Informação da simplificação do NAT (Network Address Translation) na versão 8.3+
  • Configuração das listas de controlo de acesso Globais (ACLs)
  • Extenção da informação sobre EtherChannel
  • Mais suporte para grupos bridge em modo Transparente

Para mais informações consultar CCNA Security and CCNP Security Updated