Tag Archives: Security

JunOS Cup 2014 Game Over

Foi sem duvida um desafio interessante, e estive muito perto de algumas das soluções propostas pela Juniper :). Sem duvida que algumns dos desafios eram mesmo tricky!

Resumindo ganhei um voucher para uma certificação e 25 VM units para usar no Junosphere. De qualquer forma parabéns aos vencedores!

Estas foram as Flags ganhas no torneio, para um principiante em Juniper nada mau :)

Update 17 Julho 2014

Foram classificados 3 vencedores com o mesmo numero de pontos, entre eles estava um Português. O desafio final Antarctica (Type: Enterprise Difficulty: High) foi decisivo para encontrar  o vencedor.

Tournament #1  Junos Cup Challenges
Country Flag Challenge Type/Difficulty I GOT IT :)
ho
Honduras
Internet over a MPLS-free Core Service Provider/Medium
ni
Russia
MPLS BGP Traffic Drop Service Provider/Hard
sk
South Korea
IPTV over Circuit Cross-Connects Service Provider/Hard
bh
Bosnia and Herzegovina
The Erratic Default Gateway Enterprise/Medium  Ok-icon
sw
Switzerland
Aggregated Ethernet Failover Enterprise/Medium  Ok-icon
us
USA
The Flapping Ping Enterprise, Hard
gr
Greece
IPSEC VPN #1 Security/Medium  Ok-icon
ar
Argentina
The Reacting Probe Automation/Medium  Ok-icon
Tournament #2
 ca
Cameroon
MPLS BGP & FIB Scaling Service Provider/Medium
en
England
Reverse Engineering Saga Episode 2 – The Broken IGP Service Provider/Medium
ir
Iran
LDP with Tagged Traceroute Service Provider/Hard
sp
Spain
Traffic Engineering Constraints Service Provider/Hard
ur
Uruguay
Ping on Virtual Routers Enterprise/Medium  Ok-icon
ja
Japan
Bridging with Virtual Switches Enterprise/Medium  Ok-icon
ru
Netherlands
SRX Network Address Translation #1 Security/Hard  Ok-icon
br
Brazil
The Obscure CLI Provisioning Automation/Hard
Tournament #3
po
Portugal
End-to-End Class of Service Service Provider/Hard
ch
Chile
Reverse Engineering Saga, Episode 3 –  The Strange BGP Service Provider/Medium
fr
France
Seamless MPLS Service Provider/Hard
me
Mexico
Displaying Remote MAC Address Enterprise/Medium  Ok-icon
ci
Ivory Coast
OSPF on L3VPN Customized Connectivity Service Provider/Hard  Ok-icon
co
Colombia
OSPF Topology Convergence Enterprise/Hard
it
Italy
SRX Network Address Translation #2 Security/Medium
cr
Costa Rica
The Remote Task Execution Automation/Medium  Ok-icon
Tournament #4
be
Belgium
BGP Multicast VPN Service Provider/Medium
cr2
Croatia
Reverse Engineer Saga, Episode 4 – The Puzzling MPLS Service Provider/Medium
ni2
Nigeria
Tuning LSP Choice in L3VPN Service Provider/Hard
ec
Ecuador
Class of Service at Egress L3VPN PE Service Provider/Hard
al
Algeria
One-Hop Ping Enterprise/Medium
gh
Ghana
Ping on Aggregated Ethernet Enterprise/Hard
ge
Germany
Inter-Instance Flows Enterprise/Hard
au
Australia
IPSEC VPN #2 Security/Hard

Juniper Certificações Junho 2013

A pirâmide da Juniper Networks Certification Program (JNCP) divide-se em 4 níveis, sendo que o nível JNCIA, o básico. Este pretende introduzir aos Network Engineers as foundations de como operar/gerir as plataformas Juniper. O JNCP está divido em 3 tracks essencialmente mas existem algumas certificações relacionadas exclusivamente com produtos Juniper.

 

juniper-certification-levels

Há data de hoje, as tracks são as seguintes:

Level Junos Tracks
Enterprise Routing
& Switching
Junos Security Service Provider Routing
& Switching
JNCIE JNCIE-ENT JNCIE-SEC JNCIE-SP
JNCIP JNCIP-ENT JNCIP-SEC JNCIP-SP
JNCIS JNCIS-ENT JNCIS-SEC JNCIS-SP
JNCIA JNCIA-Junos JNCIA-Junos JNCIA-Junos

Foram recentemente introduzidas as Tracks específicas de Suporte:

Level Junos Support Tracks
Enterprise Routing
& Switching Support
Junos Security Support Service Provider Routing
& Switching Support
JNCSP JNCSP-ENT JNCSP-SEC JNCSP-SP

 

O JNCP disponibiliza algumas tracks orientadas exclusivamente ao produto, estas são:

Level Product and Technology Tracks
E-Series Firewall/ VPN IDP Junos Pulse
Access Control
Junos Pulse
Secure Access
QFabric Wireless
LAN
WX Series
JNCIE
JNCIP JNCIP-E
JNCIS JNCIS-E JNCIS-FWV JNCIS-AC JNCIS-SA JNCIS-QF JNCIS-WLAN
JNCIA JNCIA-E JNCIA-IDP JNCIA-WX

Este é sempre o dilema de qualquer Network Engineer independentemente do seu role (Arquitectura/Design/Suporte/..), de “quando renovar a minha certificação”? A semelhança de outros fabricantes é possível renovar de uma forma inteligente, mas fazendo o próximo nível ficando assim com as anteriores válidas. Esta é também a forma de a Juniper (ou qualquer vendor) “empurrar” para o topo da pirâmide. No JNCP a validade de qualquer certificação é de 2 anos.

A grande diferença por exemplo da Cisco neste capitulo é que para renovar por exemplo o JNCIE independentemente da track é necessário renovar o JNCIP da mesma track. Aqui a Cisco usa uma metodologia diferente pelo que para renovar o CCIE em qualquer track basta efetuar por exemplo um segundo CCIE Wrriten/ e ou Lab de outro track, ou efetuar o exame Written especifico de renovação.

Não é possível realizar diretamente o JNCIE, pelo que será necessário adquirir as certificações intermédias até ao topo da pirâmide (JNCIE).

Status possíveis da certificação:

Status Timeframe Eligibilities
Active Two Years
  • Eligible for all benefits
  • Qualify under the Partner certification compliance requirements
Inactive One year following the Active period
  • Can be recertified
  • Are not eligible for benefits
  • Do not qualify under the Partner certification compliance requirements
  • Can still be used to fulfill prerequisite requirements for written exams
  • Cannot be used to fulfill prerequisite requirements for JNCP Lab Exams
Expired At the end of the Inactive period
  • Cannot be recertified
  • Are not eligible for benefits
  • Do not qualify under the Partner certification compliance requirements
  • Cannot be used to fulfill any prerequisite requirements
  • Candidates with an expired certification must start again at the bottom of that certification track

Renovações e respetiva correspondência:

Certification Level Renew by Maintaining Certification Level Renew by Advancing Certification Level
JNCIA Pass the current JNCIA exam in the same certification track Pass the current JNCIS exam in the same certification track
JNCIS Pass the current JNCIS exam in the same certification track Pass the current JNCIP exam in the same certification track
JNCIP Pass the current JNCIP exam in the same certification track Pass the current JNCIE Lab Exam in the same certification track
JNCIP-E Pass the current JNCIS-E exam N/A
JNCIE Pass the current JNCIP exam in the same certification track N/A

Update Exames CCNP Security

A certificação CCNP Security da Cisco será renovada em breve com uma nova estrutura, consultar o link CCNP Security para mais detalhes

 

Required Exam(s) Recommended Training Required Exam(s) Recommended Training
642-637 SECURE v1.0
Last day to test April 21, 2014
Secure v1.0 Securing Networks with Cisco Routers and Switches (SECURE v1.0) 300-208 SISAS Implementing Cisco  Secure Access Solutions (SISAS)

642-627 IPS v7.0
Last day to test April 21, 2014

Implementing Cisco Intrusion Prevention System v7.0 (IPS v7.0) 300-207 SITCS Implementing Cisco Edge Network Security  Solutions  (SITCS)
642-618 FIREWALL v2.0
Last day to test April 21, 2014
Deploying Cisco ASA Firewall Solutions (FIREWALL  v2.0) 300-206 SENSS Implementing Cisco Secure Mobility Solutions  (SENSS)
642-648 VPN v2.0
Last day to test April 21, 2014
Deploying Cisco ASA VPN Solutions (VPN v2.0) 300-209 SIMOS Implementing Cisco Threat Control Solutions (SIMOS)

 

As apresentações sobre os novos exames no Cisco Live Milan 2014:

BRKCRT-2203 – Implementing Cisco Secure Access Solutions – Preparing for the SISAS Exam

BRKCRT-2211 – Title: BRKCRT-2211 Implementing Cisco Threat Control Solutions – Preparing for the SITCS Exam

BRKCRT-2204 – Implementing Cisco Edge Network Security Solutions – Preparing for the SENSS Exam

BRKCRT-2205 – Implementing Cisco Secure Mobility Solutions – Preparing for the SIMOS Exam

Notas Unicast Reverse Path Forwarding (uRPF)

O uRPF permitir analisar a Source IP do pacote e decidir se faz forwading ou Drop do mesmo com base no método definido. Esta funcionalidade permite limitar o DDoS com base em Spoof Address. Para examinar o Source IP dos pacotes no incoming interface ativa-se o Reverse-Path-Forwarding (uRPF) através do comando ip verify unicast source reachable-via { rx  |  any } [allow-default] [allow-self-ping] [ list] ( O CEF deverá estar ativo para o uRPF funcionar).

Os pacotes podem ser examinados de 2 formas:

  • Strict RPF – Usando o parâmetro rx, o router verifica através do rouitng se a interface de outgoing será a mesma por onde foram recebidos os pacotes. Caso crontrário os pacotes são descartados.
  • Loose RPF — Usando o parâmetro any, o router verifica de existe alguma rota que seja possível usar para chegar ao source IP.

O comando ignora a default route quando efetua a análise (by default), para incluir a default route na análise deve ser incluido o parâmetro allow-default.

Uma das preocupações podem ser os flows assimétricos , aquando da implementação desta feature, o Loose mode e uma opção escalável para redes com asymmetric routing paths.

Exemplos:

Ligações:

(192.168.10.0/24)R2-f0/1——-f0/0-R3(spoof-address Loop10)

Exemplo 1:

Spoofing Address Source 192.168.10.0/24

R2(config)#
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.20.2 255.255.255.0
ip verify unicast source reachable-via rx
!
ip route 0.0.0.0 0.0.0.0 192.168.20.1

R3(config)#
ip route 0.0.0.0 0.0.0.0 192.168.20.2

interface loop10
desc spoof address
ip address 192.168.10.1 255.255.255.0

interface loop11
ip address 1.1.1.1 255.255.255.0

interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0

R3(config)#do ping 10.10.10.10 source loop10 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
..
Success rate is 0 percent (0/2)

R2#sh ip traffic
IP statistics:

Drop: 1982 encapsulation failed, 0 unresolved, 0 no adjacency
9 no route, 2 unicast RPF, 0 forced drop
0 options denied

R2#sh ip int f0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes

IP verify source reachable-via RX
2 verification drops

Exemplo 2:
Excluir redes do uRPF check usando uma ACL

R2(config)#

access-list 10 permit 1.1.1.0 0.0.0.255

interface FastEthernet0/1
no ip verify unicast source reachable-via rx
ip verify unicast source reachable-via rx 10

R3(config)#
no interface loopback10

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 30/40/49 ms

Exemplo 3:

Permitir que as qualquer source (default route) seja permitida nos check dos uRPF

R3(config)#

interface FastEthernet0/1
no ip verify unicast source reachable-via rx 10
ip verify unicast source reachable-via rx

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
..
Success rate is 0 percent (0/2)

!Permitir o Default Route no uRPF, caso nao exista nenhuma rota especifica

R2(config)#

interface FastEthernet0/1
ip verify unicast source reachable-via rx allow-default

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 40/46/52 ms

R2#sh ip int f0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes

IP verify source reachable-via RX, allow default
4 verification drops