I have several Juniper SRX-210 devices configured in remote offices. One of the biggest problems I have is that there are a lot of people that are constantly running scripts against the ssh daemon. Now I could lock it down to only a specified list of allowed IP addresses. This would be the most secure method but i have a business requirement of being able to connect to this device from many different location. There is a command you can use to mitigate brute force attempts.

The command limits the number of ssh attempts per minute per source ip to 2. Just enough incase you make a mistake during login, but not enough for a script kiddie to run 500 attacks a minute against your firewall.

services {
   ssh {
     rate-limit 2;
  }
}

I was thinking about a new project idea. I was thinking of setting up a dynamic multipoint VPN concentrator. Put a small LAN behind it with a couple of servers. Put the configuration instructions on a webpage for Juniper and Cisco devices. I was thinking to run BGP routing protocol over the interface as it scales reasonably well.

The important part here is I wanted to create a web form which requests the internal and external address ranges of anyones network. Once that person submits that information I will have a Peal script pull those messages from the web form, parse the information, insert the networks and IP addresses into a J-Script template and apply it to my Juniper SRX router automatically.

This project will enable Cisco and Juniper students to participate in the environment and create a public VPN network where p2p APPS and anything else can run over the network without having to worry about any prying eyes. I want to see how far this project will scale. I was even envisioning a time when other people with idle equipment can volunteer to become a secondary hub to take some of the load once my connection reaches 10 thousand or so tunnels. Because of the way DMVPN works. The tunnels between sites will open up as needed when a user from site A needs to talk to site B. This combined with using BGP as the routing protocol will mean that it will require very little bandwidth as traffic destined from site A to C will not transit site B if site B in this scenario is the hub.

Anyways if anyone out there is interested please leave a comment.

I see a lot of you out there find this site through various search engines and many of you are searching for information on gre tunnels. I just wanted to say how much I appreciate the traffic and I want to let everyone know that creating an account is free and I would love to hear your feedback on articles and any questions you might have.

I recently came across a problem that is not an uncommon problem that small businesses face. I came up with several solutions to their problems and I thought I would take a minute to discuss one of those solutions. This customer has a business requirement to use a proxy server for all outgoing web traffic. This on the face of it seems like a simple problem, there are many good proxy vendors out their such as my favorite vendor Blue Coat. There are many free alternatives such as Squid Caching Proxy server.
Read the rest of this entry »

Junipers JUNOS is a very robust operating system, not only is the OS very advanced but the ASIC heavy design of Juniper hardware is akin to calorie free chocolate bars! Juniper Filter Lists which are non-stateful packet filters similar to Cisco Access-Lists are compiled and processed using hardware, what this means is that you can have as many Filter-Lists as you want and as long as you want without degrading performance.

Juniper is also big on naming things, in JUNOS everything has a name, the Filter Lists have names, the terms in the Filter Lists have names, and even the address’s you are matching on have names. This is a big concept in JUNOS because it allows you to write snippets of Filter-Lists and use them for many different Filter Lists. JUNOS also supports grouping Filter Lists and applying an entire group of filter to an interface. If you apply Filter groups to a JUNOS interface they individual Filter Lists are evaluated in order sequentially.
Read the rest of this entry »

I have been busy lately, I am in the middle of a Data Center migration at work, which is eating up hours of my personal time, and I have a million other projects on the burner. I have fresh content coming but in the mean time, I did a TechCast on Junos, please view the video at http://www.exiletv.com.

Until Next time

I have been continuing to setup the bbs software on bbs.techinvasion.net. I have added irc, gopher, finger, and ident functionality. I encourage all of you to drop by and experience this neat software. The really neat thing about this BBS software is that it connects you to a world of forums and message boards that can only be accessed using BBS software. If you are running firefox I encourage you all to go to gopher://bbs.techinvasion.net. This will let you view the forums and posts, although it doesn’t look the same as it does through a telnet session, it is still very interesting.

Recently as a project cleaning up some old files and software, I came across a software disk for an old BBS I used to run. This got my interest peaked as I wondered if there were still BBS systems Alive and well on the internet. Information on BBS systems was few and far between in my research and it took me a while to make some headway. Eventually I came across http://Synchro.net  BBS software. This software is very similar to old school dos BBS’s. I installed the software which was no small feet given the inadequate build instructions. Once the system was built and installed I had allot of fun setting up classic door games such as Trade wars and others.

Read the rest of this entry »

Cisco routers have a very robust network address translation feature set. The NAT software allows you to control translation with access-list, route-maps, and destination pools. With the wide array of commands, it is sometimes difficult for beginners and experts to figure out how to combine these elements to solve a problem.

Read the rest of this entry »

In the beginning God created heaven and earth, and then he created routers, so packets could flow from one part of the earth to the other. As he rested he looked down on his creation and smiled for all was good. Packets were flowing from one interface to another. Then as he beheld his creation he watches as some pad packets decided to flow where they didn’t belong! So God created access-lists and again everything was as it should be, packets only flowed to areas where they belonged. After some time naughty packets found out that they could sneak by God’s great protectors of the network by setting the ACK bit in their headers.

Read the rest of this entry »