SRX VIRTUALISATION: Basics

Virtualisation.

That got your attention didn't it! It's the big topic these days and in the SRX we can apply in several ways.


In the Juniper world we have VSYS on ScreenOS and LSYS for high end SRXs both of which allow the creation of logical firewalls with different administrative rights within a single box.


There is also Firefly Perimeter to consider (Eval for 60 day)
http://www.juniper.net/us/en/products-services/security/firefly-perimeter/#evaluation

Even though we can't use LSYS on a branch SRX device we can still set up logical routers called Routing Instances on them and then apply specific zones/interfaces to those Routing Instances thereby gaining some degree or virtualisation in the branch SRX.

Lets look at a simple example of how to apply this..


SRX IDP: Templates Update

Did you notice that Juniper has updated their IDP policy templates?

First lets review the list of old of pre-defined templates..

blogger@SRX> show security idp policy-templates-list
Web_Server
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended


Lets check the version of that template..

blogger@SRX> show security idp security-package-version
  Attack database version:2395(Wed Jul  2 18:14:04 2014 UTC)
  Detector version :12.6.160140626
  Policy template version :2192

 
Lets check and see whats available..

blogger@SRX> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2395(Detector=12.6.160140626, Templates=2395)

 
So you see, even if you are automatically updating the attack database that doesn't update the policy templates.

SRX NAT: Destination

Today we will have a look at some Destination NAT (DNAT) on the SRX with port translation.

We have the following network scenario..



In the this scenario we need to do DNAT using the actual external interface IP (192.168.200.200).

So the flows will go like this.
.

PRENAT                                         POSTNAT
192.168.200.10 --> 192.168.200.200:8088        192.168.200.10 --> 10.31.254.17:80
192.168.200.10 --> 192.168.200.200:2088        192.168.200.10 --> 10.31.254.17:22


CX111

I recently had the opportunity to test out a CX111.
Its a device that acts as a L2 bridge between a 3G/4G USB modem connected to one of 3 available USB ports on it and a single Ethernet port.

http://www.juniper.net/au/en/products-services/routing/srx-series/cx111/

Specifically I tested it with a Telstra 4G Sierra Wireless AirCard 320U.
And the results were great!

SRX VPN: Multipoint

Happy New Year to all readers!

Today we are going to make a multipoint VPN.
One hub site (VPN-CORE) and 2 spokes sites (LEFTY and RIGHTY2). All devices are SRXs.


Multipoint is only supported with Route based VPNs so that's what we will be using and the key point to note is that the multipoint hub only uses a single tunnel interface regardless of the number of VPN tunnels.


In real life you probably wouldn't bother with multipoint for just 2 spokes but this is a lab so lets do it!

Here is the network we are working on..

We will want to get traffic between the 2 trust zones and the server-zone running over the VPN.



SRX UTM: Antivirus - Sophos

Here is a quick overview of getting Sophos AV working on an SRX

Sophos is the Cloud based solution and so needs an active Internet connection to work. This means the AV database is not stored locally on the SRX like Kaspersky. The SRX uses DNS queries to the Sophos Cloud to perform AV queries. We'll see later how these work.

Sophos can also perform URI content checking over HTTP to detect malware.This is essentially a reputataion check and can be disabled if you wish.

The Sophos solution should put less load on the SRX, processor and memory wise due to not having to download a giant AV database and run checks against it though it does cache responses to improve lookup performance.

SRX VPN: Checkpoint to SRX Site-to-Site Policy Based.

Today we are going to take a look at a site to site VPN between a Checkpoint and an SRX.

We will focus more on configuration and testing rather than VPN theory as the Internet is full of great resources in that respect. No NAT in this one either to keep it more simple and just focused on the VPN side of things. We will do a seperate Blog for VPN troubleshooting.


Here is a layer 3 view of the network we will be using..