Dr Ahriakin's Singalong JNCIE-Sec Blog

[Ahriakin]

Hi Folks,

As I stated in the earlier thread (seeing if there was any interest in doing one of these) I'm not a blogger but there's not much info out there for the JNCIE-Sec and the last one of these I did for the CCIE seems to have been useful to some soooo here we are. Starting out on the last leg of my Juniper journey (well cert wise anyway). So for background I've worked in IT for about 17 years, networking probably for about 6, starting off with the usual tracks of Phone Support / Small Business IT / Medium Enterprise and then into the Mobility sector, picking up Microsoft and Cisco certs along the way as appropriate (I don't just do them for the hell of it, to me it's all about the knowledge, the certs are just good milestones imho (and yes they don't hurt the resume either). I did the CCIE-Security about 3.5 years ago now....wow...time flies and went into a Telecoms company shortly after. Since then I haven't done too much cert-wise, the TippingPoint TCSE being the only one before Juniper last year. There just wasn't time. Well we ended up trying out the SRX last year and like it enough to start overhauling our network with the things, they kinda grow on you, so off I went down the Juniper cert track. To be honest I took it fairly slowly, there are a lot of new technologies I need to research and use at work so I don't get anywhere near as much time to work on any one track....at least that's my excuse, the truth is likely somewhere between that and the fair Isle of Lazy. I did the JNCIA-JunOS and JNCIS-Sec last year from the fast track materials and the JNCIP-Sec a few weeks back. From the start I knew if I was even going to start down this track then I was going all the way to the end so I view everything up until now as an appetizer. Time for the main course.

My aim is to at least have one attempt in the bag by Xmas.Okay it's really to have passed by then, but we'll see, I think if you go into your first attempt accepting you might fail then if you do it won't demoralize you as much. Not that I will try anything less than my best to pass, I just won't let it crush me if I don't.

I was hoping to do the JNCIE-Sec bootcamp but it looks like it may not materialize before our learning credits expire so I've started gathering materials together myself. I'll breakdown what I am using as I go but also edit the next few posts over time to keep an up to date list in one place.

So, hopefully this won't be too boring. Time will tell...

[Ahriakin]

Lab Equipment (06-13-2012)
2 x SRX100
1 x SRX210H with IPS license
1 x Cisco3640 Router with full Security licenses
3 x Cisco 2620 routers
1 x Cisco 3550 Switch
2 x Cisco 2940 Switches
1 x Cisco Pix 515 Firewall
1 x Cisco ACS VM for AAA
1 x Microsoft Cert Server VM for PKI

[Ahriakin]

Over time I'll do up some notes on these and then after my attempt rate them on how relevant they were (without breaching NDA).

Lab Workbooks
iNET-Zero JNCIE-Sec Lab Workbook

Library:
JNCIA-JunOS Fast Track docs
JNCIS-Sec Fast Track docs
AJSEC Course Book
JIPS Course Book
"JunOS Security" - O'Reilly
"JunOS Cookbook" - O'Reilly
"JunOS Enterprise Routing" - O'Reilly

Juniper.net documentation (most useful so far)
CLI Security Reference 10.4
Security Configuration Guide 10.4
Junos Policy Framework and Configuration guide 10.4
Admin Guide 10.4

[Ahriakin]

So the first Blog entry after all that is really just a note. I should have the iNET-Zero workbook in the next day or so, I ordered it this morning and they should email it within 2 days. I also noticed they cut their rack-time cost in half which is great, when I was first looking at this at ~$90 a pop that was going to be a pretty expensive proposition. It's still high compared to CCIE rack time but that's to be expected with the smaller market. I intend to follow the same path I did with the Cisco side. Use my home lab to work on the core technologies and rack-time to focus on the big picture and time management etc. Hopefully over the next few months the JNCIE-Sec bootcamp will appear aswell, and maybe some more 3rd party material.

[networker050184]

I look forward to following along. Good luck!

[zoidberg]

Looks like you're getting a good start to your JNCIE-SEC quest. Looking forward to reading about it and helping where I can.

I would suggest adding the Layer 2 Bridging and Switching Configuration Guide 11.1 from Juniper.net to your library. Per the exam outline, Transparent Mode may be in the lab. Also, the software listed for the lab includes 10.4 and 11.1.

[JDMurray]

Ahriakin, your new avatar:

nf.jpg

[Mstavridis]

Ever thought of being a mentor?

[Ahriakin]

@JDMurray :: RE "Ahriakin, your new avatar"

So very very tempting

[Ahriakin]

Thanks for the advice Zoidberg, I was going to grab 11.x anyway but hadn't even thought of the switching docs, grabbing them now.

I decided to start from scratch again, reinforce some of the basics primarily for speed. I made that mistake when I did the CCIE, figured I could work out what I needed for the more basic concepts since they were relatively simple rather than having to memorize them as much which ultimately slowed me down on that first attempt. I'm going to make sure I know the CLI 'tricks' inside out, find the absolute fastest way to do configuration, searches, verification etc. and burn it in so I can focus on the harder stuff and not stumble on the baby steps. To that end I've started on the JunOS CookBook again, and it's a good thing too since I've already found a few things I have developed bad habits with and there are smarter ways to do. Today I just worked through out-of-box basics, system config, loading/saving/merging configs etc.

I also got the iNET-Zero Lab workbook this afternoon and just had a quick scan through. I won't be starting on this probably for another month or so and I don't want to ruin some of the challenge by pre-reading it. Which is also why I will wait to start it, I know right now I would be constantly checking docs for the various tasks so it wouldn't help me gauge readiness at all, and then when I was finally ready to battle it out half of it would be from memory which again gets in the way of realism. So I will start it when I have gone through all of my core documentation at least once in this cycle. But from what I have seen it seems like a very competent workbook, good professional and easy to read layout following the format you would expect from the Cisco IE training vendors. There are 8 function-centric 'chapters' (and matching Appendix sections with the answers and explanations) and a final full lab. Just over 200 pages in all. Of course there's no way to judge accuracy and quality until I actually sit down to do it, but from the initial scan my hopes are high.

[Ahriakin]

I did some on the job research, nice when the tasks of the day can be steered..er...I mean overlap naturally with some study . Mainly looking at IPv6 and NAT64, a bit of VPN troubleshooting etc. Was too tired when I got home from work to do much so I'll be taking the Cookbook with me to bed. I'm getting most of my material on the Kindle now. I did use a lot of PDFs for the Cisco side as we had full access to the Cisco TKL (basically everything on from Cisco Press for free through our contracts) but it's all to easy to get distracted reading them from the PC/Laptop. When I'm lab'ing up I do use the laptop but NEVER open a browser on it, just faithful mRemote and Putty.
I built a small little study area in the bedroom away from everything else, moved my head phones/dac/amp in with a nice little Logitech Squeeze Box touch and it's gotten so much easier to focus. I need music to study by, it calms the ADD and if I feel like taking a break...which usually means giving up for the night, I just stop reading and keep listening for a while and the temptation dissipates (a bit). When it gets really bad I try fooling myself that I'm really there to listen and the study is just something to do along the way...silly psychological games, but it works for me to some extent.
I picked up an APC Console server pretty cheap on ebay also. With a small amount of equipment I need to regularly overhaul the design to simulate more expansive topics on smaller topologies, and not having to dedicate ports for mgmt in the same range as my Laptop helps a lot. Tomorrow I think I'll get Splunk loaded on the main file server, I was using one locally (the old 3Com FTP/TFTP/Syslog Daemon) on the laptop but it'll be better to centralize it.

[Aldur]

The new AJSEC course update that we're finishing... like by tomorrow, has some good NAT64 stuff in it. Might be worth checking out.

[Ahriakin]

That would be cool. There's not a lot of detail out there for it at the moment. I get the concept, source-nat your v6, destination nat your v4 with a nice helping of persistance and DNS64 in between. But every example I've seen is effectively static host mapping, I'd love to see some scenarios for larger deployments. Oh and that is important for anyone looking at NAT64, if you don't already know it, don't forget your DNS! You need to match up with a DNS solution that also converts, the ALGs don't. This is not just a Juniper thing I believe it was part of the concept change from NAT-PT to NAT64. Your DNS server needs to be able to convert A to AAAA (and vice versa) in the absence of either record when needed. There are some good presentations on this over at slideshare. So this week is just focusing on User account setup (yes I know how to add users and classes ) what I really want to play with is the authorization part. If you link to a AAA system and use locally remote to local mapped accounts it can be a fire-and-forget process as far as actual SRX configuration goes, easy to skim over and not think of again, which means easy to fail on an actual test. It's not rocket science but at the same time it goes back to my aim to optimize the little things early this time.

Oh and a little real-world note on using AAA with local auth, most of you probably already know this but just in case... My advice is configure local system accounts with the privileges you need for the groups that will access it, then use the local-user-name parameter (either from RADIUS or TACACS, both can send this) to map individual users to those accounts. Makes life much easier. Also something that is not explained very well in the early training materials about authentication-order (but is listed in other docs) is that you don't have to add 'password' to the list to have it as a fallback only. You do if you want to keep the system treating AAA and Local as an OR operation, i.e. credentials that fail AAA will be checked against local and if either are successful you're in. But most environments will only want the Local to be used if AAA is unreachable, in this case just don't specify password in the list, the system will automatically try it if needed. Just be careful if you regularly use the Root account and do this....but then you shouldn't be using that except in emergencies anyway

[Ahriakin]

Whoa, didn't realise it had been that long since the last update. I won't be adding anything in here about life in general, I treat this as purely a study blog so if I don't have anything to report on that front there won't be anything new here. So please don't presume the thread is dead, I just don't believe in filling space for it's own sake. But still nothing major to report, going has been slow due to projects at work but I'm still working through the JunOS cookbook. Some very handy little tricks I missed on my first run through the earlier course work.
For the command auth side simply finding out how to locate what you need to allow via 'help reference', saves a LOT of memorization. You can also view it via a show config | display detail but it's harder to filter and navigate.

E.g.

help reference security policies | find Privilege

Required Privilege Level

security-To view this statement in the configuration.
security-control-To add this statement to the configuration.

[Aldur]

Interesting find on the permissions thing, I honestly didn't know about that. I'll keep that in mind for my studying.

Speaking of studying, since the updates to the AJSEC and JSEC courses are complete, I've had a bit of time to actually get some studying done. I'm currently focusing on IDP, IPsec and HA stuff. Attempting to get quick on the keys and knowing all the commands without needed to ever hit the ? key.

Configuring IPsec tunnels in which one side has a dynamic IP address has been fun. Its pretty cool how it actually works, I just seem to get the configuration mixed up between the two ends. I suppose that more practice will solidify that point. I've also setup a extra laptop to act as a client to practice dynamic VPNs. However, the wireless card on it is flaky, which is problematic since I'm using the wireless card to RDP to the laptop. :/

For today I think I might dive into some NAT studying, try to get the overlapping IP addresses down cold. Should be fun, especially when you think about having IPsec involved too.

[Ahriakin]

Yup it's very easy to forget there's a huge amount of documentation actually built into the OS, not just the usual sparse context sensitive help.

[Roguetadhg]

I feel misled by the singalong. I came here expecting a catching advertisement tune - like:



Poor Quality. I know.

[Aldur]

Nice, now the fanta song is stuck in my head :s

[Aldur]

Also, don't forget to have a look at the 11.1 docs, they exam is actually on 10.4 and 11.1.

[Ahriakin]

Yup I have them too (11.1).

(refusing to look at that video lest my consciousness be infected ).

[Ahriakin]

Finished the Cookbook last night. It's a decent read but hardly an absolute requirement imho. I think it's worth approaching like this after you have gone through the previous coursework just to refresh some day-day tasks. Still it did give me some inspiration for a project at work and using routing for load-balancing from the router, I'll have to test that soon. I think the next few days will just be lab'ing with basic CLI and config manipulation, maybe some work on dynamic routing/filtering since it's usually my Achilles heel.

[Ahriakin]

Last night was playing around in the lab with IPv6. I managed to get NAT64 working for a simple host-host mapping but couldn't get it to work with a source-nat pool. I don't know if it's a limitation of the SRX100 I was using or not since just about every example I've seen so far involves 1-1, it would error out that my pool was v4 and the source was v6. Our work lab 5600s are being powered today so I'll be able to start playing on them soon enough too. I'll also see if upgrading from 11.2 to 11.4 makes any difference, I know that's going beyond lab code revisions and expectations but I'm doing this for the knowledge itself (the cert is a plus), I can't stop trying to understand something because it falls outside the artificial confines of the exam topics.

The setup I have working is pretty standard :
* Source NAT the IPv6 host (only static working so far)
* Destination NAT the IPv4 host.


I did find a few interesting things (which may be incredibly obvious to everyone else but were new to me).

Setting a v6 Static route:
You must specify the inet6.0 RIB

[edit routing-options]
rib inet6.0 {
static {
route 64:ff9b::/96 next-hop aaaa:bbbb:cccc:dddd:y;
}
}


Setting the equivalent of Proxy-arp for IPv6 addresses in the same subnet as the Firewall's NIC

[edit security nat[
proxy-ndp {
interface reth0.0 {
address {
aaaa:bbbb:cccc:dddd:y/128;
}
}
}

[Ahriakin]

Well studying for NAT64 has led me to sidestep into reading "IPv6 Essentials" from O'Reilly. It's quite good so far, it doesn't waste time belaboring the format, just provides succinct notes on the packet-layout, addressing etc. Oh this transition is going to be fun.....

[Aldur]

Speaking of NAT fun, I've been focusing on using static NAT, primarly on understand how reverse static NAT works. For example. I've set up a static NAT rule.

Code:

{primary:node0}[edit]
lab@srx# show security nat static 
rule-set 1 {
    from interface fe-0/0/1.0;
    rule r-1 {
        match {
            destination-address 172.16.10.0/24;
        }
        then {
            static-nat {
                prefix {
                    172.20.0.0/24;
                }
            }
        }
    }
}

It's easy to understand that traffic that is coming out of the fe-0/0/1 interface with the destination address in the 172.16.10/24 range will be translated to a destination address in the 172.20/24 range. That's basic static NAT. However, Reverse static NAT comes into place when traffic goes into the fe-0/0/1 interface that matches the 172.20/24 range in the source address.

If traffic is going into the fe-0/0/1 interface and has the source address in the 172.20/24 range, the source address is translated to an address in the range specified in the match condition. In the above example, the source address would be translated from an address in the range of 172.20/24 to an address in the range of 172.16.10/24.

Fun stuff eh?!

[JDMurray]

Are Double NATting and Triple NATting next?