Clik here to view.
IPsec Site-to-Site VPN Juniper ScreenOS Cisco Router w/ VTI
And finally: A route-based VPN between a Juniper ScreenOS SSG firewall and a Cisco router with a virtual tunnel interface (VTI). Both sides with tunnel interfaces and IPv4 addresses. Both sides with a...
View ArticleClik here to view.
Juniper ScreenOS Firewall autocorrects Route Entries
I was a bit confused today as I saw a “wrong” route entry in the config of an SSG firewall. The route had not the correct “network/netmask” notation but a “host-address/netmask-of-the-network”...
View ArticleClik here to view.
Juniper ScreenOS NSRP: Configuration via GUI, NSM, and CLI
Short step-by-step screenshot guide for an initial configuration of NSRP of two Juniper ScreenOS firewalls, such as the SSGs. One screenshot pack for the http GUI and another one for the Network and...
View ArticleClik here to view.
Juniper ScreenOS DHCP Relay: “Use Interface as Source IP for VPN”
I had strange looking DHCP packets in my network as I tested around with DHCP relays on the Juniper SSG firewall. Some packets were blocked and I didn’t know why. After some troubleshooting it was...
View ArticleClik here to view.
DHCP Sequences: Broadcast vs. Unicast
I missed a sequence diagram for DHCP which not only shows the four basic messages (DISCOVER, OFFER, REQUEST, ACK), but also the used source/destination addresses and ports, the type of connection...
View ArticleClik here to view.
OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto
I tested OSPF for IPv4 in my lab: I configured OSPF inside a single broadcast domain with five devices: 2x Cisco Router, Cisco ASA, Juniper SSG, and Palo Alto PA. It works perfectly though these are a...
View ArticleClik here to view.
Why Ping is no Security Flaw! (But your Friend)
One core topic when designing firewall policies is the following question: Is ping a security attack? Should ICMP echo-request messages be blocked in almost any directions? My short answer: Ping is...
View ArticleClik here to view.
Advanced Tracerouting
A commonly misunderstanding of traceroute is that it fully relies on ping. “If I block ping at my firewall, no one can use traceroute to reveal my internal routing path”. Unfortunately this is not...
View ArticleSicheres WLAN: Was wirklich etwas bringt
Vor ein paar Tagen wurde ich über Twitter auf einen Artikel aufmerksam, der sich “Fünf Tipps für ein sicheres WLAN” nennt. Cool, so dachte ich, denn schließlich ist das eine oft gestellte Frage, wie...
View ArticleClik here to view.
IPv4 vs. IPv6 Traffic Statistics on Routers
I am very interested in statistics about the usage of IPv6 on Internet routers and firewalls. The problem is, that most routers/firewalls do not have unique SNMP OIDs for IPv4 and IPv6 traffic, but...
View ArticleClik here to view.
FRITZ!OS ab 06.20: Änderungen bei VPNs
In den Release Notes der neuesten AVM FRITZ!Box Version FRITZ!OS 06.20 stand unter anderem: “VPN-Verbindungen unterstützen jetzt zusätzliche Diffie-Hellman-Gruppen 5, 14 und 15″. Coole Sache, ist doch...
View ArticleClik here to view.
Juniper Secure Access: Easy Deployment Poster
For a beginner, the configuration of a Juniper Secure Access SA/MAG device is not that simple. There are too many options and links that must be filled in. Though there are quite detailed configuration...
View ArticleClik here to view.
My Nmap Command
I am using Nmap to do basic port scans for customers that requested them. The Nmap GUI “Zenmap” offers some profiles to choose the appropriate options for the scan. But when using a mere ssh session,...
View ArticleClik here to view.
VoIP von FRITZ!Box über Juniper SSG Firewall
Ich habe bei mir zu Hause die AVM FRITZ!Box als alleinigen Router abgelöst und durch eine Juniper SSG 5 Firewall ersetzt. Die FRITZ!Box ist trotzdem noch vorhanden und steht als IP-Client hinter der...
View ArticleClik here to view.
Juniper ScreenOS NAT Overview: MIP DIP VIP
MIP DIP VIP. I am sometimes confused with the NAT names of the Juniper ScreenOS devices. Therefore, I drew a small figure with a few basic examples for these NAT types. Note that this figure does not...
View ArticleClik here to view.
If only one DNS query is malicious …
… the whole Internet breaks down. So happened on a Palo Alto with a DNS proxy and a (slightly misconfigured) anti-spyware profile. All network clients had a single DNS server configured, namely the DNS...
View ArticleClik here to view.
Considerations about IPsec Pre-Shared Keys
Pre-shared keys (PSK) are the most common authentication method for site-to-site IPsec VPN tunnels. So what’s to say about the security of PSKs? What is its role for the network security? How complex...
View ArticleClik here to view.
IPsec Site-to-Site VPN Palo Alto FortiGate
This is a small tutorial for configuring a site-to-site IPsec VPN between a Palo Alto and a FortiGate firewall. I am publishing step-by-step screenshots for both firewalls as well as a few...
View ArticleClik here to view.
IPsec Site-to-Site VPN FortiGate Juniper SSG
Here comes the step-by-step guide for building a site-to-site VPN between a FortiGate and a ScreenOS firewall. Not much to say. I am publishing several screenshots and CLI listings of both firewalls,...
View ArticleClik here to view.
IPsec Site-to-Site VPN FortiGate Cisco Router
This blog post shows how to configure a site-to-site IPsec VPN between a FortiGate firewall and a Cisco router. The FortiGate is configured via the GUI – the router via the CLI. I am showing the...
View Article