Dr Ahriakin's Singalong JNCIE-Sec Blog

12357

Comments

  • JDMurrayJDMurray Admin Posts: 13,091 Admin
    Are you actually injecting attacks into your SRX for the IDP to trigger on? If so, where are you getting the attack information?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I just setup the usual culprits like ICMP, DNS requests, Facebook etc. and in some cases make some basic custom signatures.

    ICMP:INFO:ECHO
    ICMP:INFO:ECHO-REQUEST
    HTTP:INFO:FACEBOOK
    DNS:TRAFFIC


    If you want to pull out filter specific information from the CLI do a 'file show' on the following (pretty much in order):

    Signature list (by Title): - match for keywords to save time
    /var/db/idpd/sec-repository/attack.list

    Pre-defined groups (by Title) - Optional but also handy for tasks that seem like they should already have a group you can reference.
    /var/db/idpd/sec-repository/attack-group.list

    Then when you've identified the signature you want to get the real info on (like match criteria etc.) look here:

    Detailed Signature info - Just do a find for the signature identified in the first step
    /var/db/idpd/sec-download/SignatureUpdate.xml
    * Big file, searches from the CLI can be slow, you will also miss some meta-date that comes before the title, I find it best to export it to my PC and do it from there.


    Detailed Group info.
    /var/db/idpd/sec-download/groups.xml



    E.g. If I started from scratch wanting to find a good Facebook matching signature, or at least make sure my test traffic would match:
    [B]file show /var/db/idpd/sec-repository/attack.list | match facebook[/B]
    [I]"HTTP:INFO:FACEBOOK"
    "HTTP:STC:ACTIVEX:FACEBOOK-PHOTO"[/I]
    
    
    [B]file show /var/db/idpd/sec-repository/SignatureUpdate.xml | find "HTTP:INFO:FACEBOOK"[/B]
    
       <Name>HTTP:INFO:FACEBOOK</Name>
       <DisplayName>HTTP: Facebook Access</DisplayName>
       <Severity>Info</Severity>
       <Category>HTTP</Category>
       <Keywords>facebook</Keywords>
       <Recommended>false</Recommended>
       <RecommendedAction>None</RecommendedAction>
       <Description>This signature detects an attempt to reach the Facebook social networking Web site.  Use of this service may violate your organization's acceptable use policy.  This signature can be used to identify these violations.</Description>
       <References>
        <URL>http://www.facebook.com</URL>
       </References>
       <Supersedes />
       <Attacks>
        <Attack>
         <Type>signature</Type>
         <InternalID>18982</InternalID>
         <ExportID>1</ExportID>
         <LastModified>2009-04-08</LastModified>
         <ActivationDate>2009-02-23</ActivationDate>
         <FalsePositives>unknown</FalsePositives>
         <Performance>0</Performance>
         <Service />
         <TimeBinding>
          <Scope>session</Scope>
          <Count>1</Count>
         </TimeBinding>
         <Direction>CTS</Direction>
         <Shellcode>no</Shellcode>
         <Flow>control</Flow>
         <Hidden>false</Hidden>
         <Port />
         <Application />
         <Context>http-header-host</Context>
         <Negate>false</Negate>
         <Offset>0</Offset>
     [B]    <Pattern><=!=[=C=D=A=T=A=[.*\[\.facebook\.com\]]=]=></Pattern>[/B]
         <Regex />
         <Versions>
          <Version>idp-jsrx9.4</Version>
         </Versions>
        </Attack>
       </Attacks>
       <Direction>
        <Value>CTS</Value>
       </Direction>
       <FalsePositives>
        <Value>unknown</Value>
       </FalsePositives>
       <Performance>
        <Value>0</Value>
       </Performance>
       <Service>
        <Value />
       </Service>
       <Type>
        <Value>Signature</Value>
       </Type>
      </Entry>
      <Entry>
    

    So we can see how it matches with the context and pattern statements and craft the test traffic around it.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    K. Another InetZero session down. I did clustering, pretty simple at this stage and it was mainly to get speed up, and UTM - still one of my weaker areas but I went through it about twice as fast as last time. Traffic-options for content filtering still got me though, I was just blind to it even when it was staring me right in the CLI face. I read over the JNCIS-Sec UTM guid this time instead of the O'Reilly Security book just to get some diversity but tbh they're pretty much the same, the book doesn't add anything over the fast-track guide on this subject.

    Anyway I've got about 90 mins left but I'm done for the day.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Went to book some more rack sessions and saw all next week is booked out, I guess it's good they're getting more popular but bad for me with flexibility. Still it's an excuse to get back to some book study and home-lab work that I've been neglecting too much for the last few weeks in lieu of the monster sessions. I do have another this Wed and then 2 more the week of the 25th. They have the Graded Mock Lab available now so i went ahead and took the plunge on buying a session - if you're curious about the details so far there is one lab, they email it as a PDF before the session, pre-load the configs you will need to get started and then will have the results to you within 5 business days with suggestions etc. With just 5 weeks to go I don't have a lot of time so I requested a time-slot between Mar 3rd and 5th (they will get back to you with the exact date, you provide 3 options). Worst case scenario I have the review in hand by the 10th or so and a week to review and work on weaknesses before the main event.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    So some questions actually to those who have done this before (looking at you Aldur and Zoidberg :) ). Without violating any confidentiality what can you tell me (us) about the lab environment itself?

    E.g.
    1. Can we paste to notepad or a similar electronic scratchpad.
    2. I've heard that documentation is available but in what layout (i.e. matching the online library for content and location or a specific local store).
    3. Pencils/Paper available for drawing things out?
    4. Lunch arrangements (being a vegetarian that can sometimes be an issue and the last thing I'd need is low blood sugar mid lab :) ).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    You can email the certification people for details on the lab environment, I believe they are generally forthcoming about things like this.

    These are from my experiences. Proctors, environments, and policies change... so don't blame me if these are different ;)

    1. Yes. Notepad and load merge terminal relative may become your best friends ;) Haha. Maybe less on the JNCIE-SEC than the good ole days of JNCIP-M, but still ample use for Notepad and copy/paste.

    You didn't ask this one, but in all my ordeals, SecureCRT showed it's familiar and welcoming face. Things change, so this may be something worth asking before you go. Ask about OS and computer as well. Last go or 2 or 3 for me were on Window's laptops. A tip from a former proctor was, BYOKB. If you did all your practice on a certain keyboard, it may be worth bringing. Otherwise, you may be stuck on a laptop keyboard, or maybe a keyboard that is just slightly different enough to irk you. I never brought mine, but once a keyboard was really getting to me. Maybe a mouse too. I believe they expect you to set it up and deal with it if you do bring it, but as long as it's simple plug and play, you should be good.

    2. Previously I've seen the Junos configuration guides in PDF format. If any are missing that you need, ask! You should have the Security guide for the SEC track, but make sure you have all the guides you think you might need; Routing, Switching, L2, etc.

    3. Sometimes. Honestly, bring your own. I can't believe the hassle it was to get a pen last time I was there ;) Try highlighters too perhaps. I'm not sure about outside papers, unless the proctor checks for crib notes, but I'm pretty sure they give you some. Plus you can write on the exam copy and diagrams they give you. Wooo!

    4. May want to bring your own snacks and lunch to be safe. I think there's some coffee and water and soda available. You can bring snacks and stop and eat and drink as you need. Then there will be a lunch break of about a hour. Where are you writing? In Herdon there is a small cafe on the first floor, can't remember how much selection there was. There are a few little places to eat a couple blocks away, and a grocery store which prolly has a good salad bar. In Sunnyvale, not sure if it's still in the same office complex or moved to the main HQ buildings, but either way there should be a bigger cafe. I don't recall many food options in a reasonable walking distance though.
  • AldurAldur Member Posts: 1,460
    Zoidberg pretty much nailed it with his answers.

    Definitely bring a keyboard that your comfortable on. I remember when I took my JNCIP-M exam, which was lab based at the time, and I got put on a laptop and the keyboard was uncomfortable. I still passed the exam, but it would have been nice to have a familiar keyboard.

    If I remember correctly, you're going to SV for your exam? If that's the case the resturant there does contain veggy options, full salad bar and veggy meal options. (I just confirmed this with the certification team:) )

    Docs are provided in PDF format. Remember to do a ctrl-F to find anything that you might have forgot.

    Good idea to bring your own pen, I've never had a problem with getting one there, but there's always the odd chance you will.

    I think there is coffee provided for free, but I'd always always always recommend that you have a backup caffeine plan. When I took the JNCIE-ER exam I was up all night with stomach problems and got about 1 hour of sleep. I had two full throttles energy drinks on me, downed one during breakfast and one during the exam. I was a little hazy but I did pass the exam.

    Also, in relation to caffeine, one month before a lab exam, I typically go on a caffeine strike to get my body's caffeine tolerance down. So when I do caffeine it up for the exam, I really do get a burst of energy! :D
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Aldur wrote: »
    Also, in relation to caffeine, one month before a lab exam, I typically go on a caffeine strike to get my body's caffeine tolerance down. So when I do caffeine it up for the exam, I really do get a burst of energy! :D

    Haha! That's a new one. And I like it. Good long term strategy. I may try stealing that one in the future :)
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Thanks guys, little details I know but also things I didn't want to have playing on my mind as it gets close. If it is laptop based then yup I think my own mouse and kbd would be a good idea.
    On the caffeine side the wife got me some supplies from La Columbe (if you've ever seen Dangerous Grounds on the travel channel it's that guy's company), part of which was some Chocolate with crushed coffee beans. That stuff is great, tastes good (not bitter) and the caffeine kicks in within a few minutes. Should be easier to pace than multiple cups of Joe. Anyway I'll be grabbing some more of those pre-trip (yes it is SV/CA btw).

    On the study front tonight is the next Rack session. I want to cover VPNs, heavy focus on routing and dynamic types and then will pick from what's left after that (probably IDP). Since they're booked up all next week that will be the last untilt he 23rd, which actually works out okay as it turns out I have to travel for work next week anyway.
    My mock lab details came through for March 3rd, I'm trying to resist the temptation to peek at the exam (already got it as a PDF) :).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • JDMurrayJDMurray Admin Posts: 13,091 Admin
    Aldur wrote: »
    Also, in relation to caffeine, one month before a lab exam, I typically go on a caffeine strike to get my body's caffeine tolerance down. So when I do caffeine it up for the exam, I really do get a burst of energy! :D
    Yes, I use this strategy too. A five-day abstinence from caffeine will allow my tolerance to drop to the point where just one cup of black tea will have me buzzing for hours. I need to periodically abstain from caffeine anyway, otherwise I will develop a paradoxical reaction that causes caffeine to put me to sleep.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    A kinda frustrating session last night. First up I was knackered (Irish for 'exhausted') and fell asleep at the desk for about 30 mins, that's never good... I took a stab at the VPN section and got hung on the route-based/dynamic routing section again. You know that part of an interview where they ask what are your bad points and just about everyone says something about refusing to give up and sticking too long at issues to get past it? Well for me that's true, sometimes to a very detrimental level, I couldn't just move on and hammered away at it over and over again. I finally gave up and loaded on the end-of-scenario configs and it still didn't work. I really need to just do a mini version of this on my own lab as I originally intended, no rental sessions for the next week and a half so it's a good opportunity to do so.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    No no I haven't been on holiday ( I wish), as I mentioned earlier I had to head out of town last week. I loaded up my mobile Kindle app collection and config PDFs to do some serious study at the hotel...which ended up being about an hour at the airport on the way out. I remember when business trips meant relaxing in a cushy room after work not then having to go check email, vpn in, work on other projects etc. until the wee hours. Life was simpler....and broker....I guess you can't have everything. Anyway got back on track with another Rack rental session tonight: Screens, Firewall Filters, IDP, Transparent Mode and FBF. All ones I had done before so no real issues, I did finally get IDP chain signatures to 'click' tonight, I kept forgetting to use the root expression to bind the members together. Kind've an odd way of doing it if you ask me it should just use all the members imho and rely on you to remember to deactivate or remove the ones you don't want, also the fact that it uses a verbose Boolean system instead of regex for that one function throws me. Ah well just something else to memorize.

    Next session is wed. night and I'm going to take a run at the super-lab. Then the graded Mock lab next weekend.

    3 weeks to go from tuesday, it's getting close.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I found an old but good webcast covering some lab experiences, JNCP Update: Preparing for the New Junos JNCIP and JNCIE Exams - Juniper Networks , the meat of the Security side starts around 21mins.
    Also google prep group, not a lot of info but still some good nuggets up there, https://groups.google.com/forum/#!forum/jncie-sec-prep
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Tonight was home lab time, reconfiguring some of the boxes from scratch again to clean them up (and get some speed practice in with EMACs shortcuts I don't normally used) and then on to Dynamic Routing over IPSEC...yes the thing I could never get working on the remote sessions. For things like this it's easier to see the process and pitfalls when building it from nothing than deciphering the issue with an existing config. And it all came up straight away easily enough, I think the issue previously was with the security policy config and the zone membership of some of the loopbacks used in source/destination and monitoring services, basically not allowing intra-zone traffic where needed. If I get time maybe I'll compare configs next time I'm on the InetZero racks but I have more important things to worry about now I know I am doing it correctly.
    Soooo, just a simple triangle running OSPF over IPSEC with and without GRE in the mix, some running DPD/other's VPN-monitoring. Tomorrow I think it's on to Dynamic and Group VPN.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    A short night, just too tired. I did some Dynamic-VPN work, it's not hard but really an exercise in remembering order of configuration since you jump around quite a bit it's a lot easier to standardize the order in which you approach it (also it's pretty modular so you end up referencing previously configured components quite a lot as you go). I did run into a small problem with the pulse client in that it wouldn't auto install under Firefox, I manually downloaded and installed it and then also checked in IE where it did try to auto-download correctly but neither would force a launch. So manually again worked but there were no connection details, I kept getting auth errors until I found that the URL for the connection is not really a URL but simply the IP of the FW (no https://). Odd but once that was in place it was okay.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I took a stab at the InetZero superlab tonight. 6.5 hours later and I have 5 of 7 tasks complete: Users, Interfaces, Management, clustering, routing, UTM, NAT and all the lovely security-policy work in betweeen down... VPN and Attack-Mitigation left, but I'm calling it a night. I've saved out the configs and will get back to this next week as I have their full grade mock-lab this saturday and I'm not THAT much of a glutton for punishment.

    The super-lab is pretty good, I didn't find any of the concepts hard just a tremendous amount of configuration work. I had to double check a few things in the docs, like route preferences...which is wrong in the admin config guide as it states higher is better...luckily I double checked online and everything else (incl. juniper.net articles) says the opposite. Comparing it to the CCIE there is much more foundational config required here, it'll be interesting to see if the mock-lab is the same or if the super-lab is not really meant to be done in one session. Maybe I'm just too sloooooowwwww.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Just finished the InetZero mock lab. That was ....tough....I finished up with just 20 mins to go, long enough to get my configs backed up and check some backbone information but not really do a proper scan. They allocated 7:30 for this, with a hard stop after 7:45 to allow 15 mins for the automated config backup for later grading. Taking out break/food time I was probably at it for about 7hrs.
    I'm guessing (since I could go back and verify everything) that this will not be a pass. There were a few tricky tasks, some that actually made me smile...some that made me wince but overall it was fairly challenging. Again my biggest enemy was time. Besides anything else I've noticed my typing accuracy has gone to hell and working over console latency can get in the way sometimes too as I type in flurries so I picked up a new mechanical keyboard (Cherry brown switches for the keyboard geeks among us) and it will take a while to get used to but I think it will be better since it's already cutting down on the flubs. I also made sure it was small enough to fit in my carry-on to take with me to the lab :).

    There were a few errata in there that I noted down and will send back to them, and some of the wording was odd to put it mildly so in those cases I annotated the config.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Tonight was re-reading the AJSEC guide. I got through chapters 1-6, so approx. 50% and everything except IPSec. I fired up the lab in parallel but wanted to focus on the reading side and only used it for some command verification or if I felt remotely unsure of some syntax. I picked up what will likely (if things go okay in 2 weeks) be my last InetZero sessions. Booked tomorrow, Sunday and next Wed. I've done each scenario a few times now so this will be more of a speed trial. Otherwise my plans are to finish the AJSEC and JIPS guides by this weekend and then spend the following week on my own scenarios. I need to get my speed up on Dynamic and Group VPNs, Transparent mode (not hard but I still have to stop and think about the steps and I should do what I can to shave some time down) and custom IDP sigs/groups. I've booked a day off to make the weekend before I go a long one and my boss has hinted I can maybe wangle another day without having to use up vacation so that will help, but it's going to be a very busy week at work so I can't rely on that.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I was ill yesterday so didn't get a chance to do much, I tried to work on my Rack session in the evening but after an hour it was going nowhere so I had to quit. I did get my results from InetZero on the graded mock-lab and as expected it was a fail, it was for the exact reasons I expected which was lots of little sloppy mistakes (like not actually activating the IDP policy I'd spent a fair bit of time working on icon_redface.gif ). Their summary was that I had mastered the technology and concepts but needed to work on accuracy and having enough time to check back over everything, again I'd agree as I didn't find any task technically hard (not a criticism of the lab, it was tricky but I think I've hit the tech side enough at this stage to be competent) but as I said afterwards I was really rushing through and still didn't have time to check anything over. So overall I think the graded mock-lab was well worth it, well written/presented and the feedback was detailed and accurate, highly recommended.

    Now to work like hell on my speed...
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AldurAldur Member Posts: 1,460
    Man, the whole IDP policy thing brings back memories. I really thought I had forgot to activate the IDP policy when I took my exam. To say the least, I was crazy worried about it until I found out that I received a pass. It's sooo easy to forget little things like that.

    Sounds like your well on your way to being ready, as you said, speed is going to be the key. Try to make sure that you get the real lab done in about 4 - 5 hours. So that way you have 3 - 4 hrs to check your work.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AldurAldur Member Posts: 1,460
    Also, another fun tip, that I just remembered helped me tons.

    When working in a chassis cluster, use the configure shared command. The shared part is hidden so it must be typed out completely. This allows you to commit the config anywhere in the hierarchy. By only using the configure command to jump into configuration mode on a cluster, you have to do commits at the top of the hierarchy, which as you probably know, slows you down. Every second counts :)

    I wouldn't recommend using the configured shared command in a production setting, but for a lab setting, specifically for a lab test, it works quiet well. :)
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Good point. I've used it before, you pretty much have to with the branch series on the first run after clustering if you don't delete the std. control-port interface, but I hadn't thought about using it for saving on 'top' all the time :). It may just be a few seconds each time but they add up.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Still not feeling 100% so another short night. I did some practice on route-based tunnels with OSPF again, using loopbacks as monitoring sources etc. I ran into a similar issue to what i was seeing on the rack sessions this time though, where the tunnel interfaces could not ping each other and OSPF would not come up. I compared the current config to one I had saved from a previous session where it had all worked and still couldn't see the issue...one reboot later and they were fine...It's all to easy to presume it's something you missed in an exam environment when sometimes it's just plain old gremlins :).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I finished the AJSEC guide again and ran through some more exercises covering OSPF over route-based (single and multipoint). Also worked on Dynamic/remote access VPN and when I thought I had it down, deleted it all and started again just to be sure :) It's definitely a task that is more about memorization than logical flow but it's not really hard once you do it a few times.
    I played around with direct routing also, primarily BGP and filtering. I had 3 routing-instances and was doing an instance-import from 2 to 1, initially I was only getting he first table to import correctly and then realised that it was the ultimate reject statement in each policy that also stops it processing the other chained import. Sooo, removed that term....then had everything from the other instance pile over which brought back that policy-statements end with an implicit permit, not a deny like pretty much everything else on an SRX. The solution was to create one import-policy that reference both instances and filter sets as terms within it and then end with the reject. Moral of the story, while you can chain policies on the instance-import function you shouldn't as in most cases it will not achieve what you want.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I did the InetZero super-lab again last night. By Task4 I figured I figured I had shaved an hour off my previous attempt and then realised that with the time change it was 2...not bad. But then that wasn't just a speed increase but also the simple fact I had seen the content before. Just one more session on Wed and I'll use that to poke around UTM, IDP and Transparent mode I think. For better or worse I have a big SRX project at work, on one hand it's eating into my time a lot but on the other it's helping with some of the speed workouts, I did just shy of 2000 lines of policy and nat config on friday for it so it helps with typorobics....if only that burned more calories...
    Tonight will be finishing the JIPS book, got about halfway through it over the weekend, some IDP scenarios. I still need to work on chain signatures a bit. I also really need to do some basic documentation mining-exercises. I've not used the official config documentation at all and I really need to make sure that if I need it during the lab I can find what I need quickly.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Just finished a few hours of non-IPSEC ospf, VPNs and Transparent mode. Mainly trying some variations from the usual simple tests, breaking them and watching behavior and traces. Nothing exciting :). It's hard to focus tbh at the moment, 1 week to go and there are no standout areas I can pick off. As I've said many times lately above the main thing now is speed which is why I've focused a fair amount of time on IPSEC. It's not hard but there is enough raw config involved in a tunnel that it's a good area to work on config-muscle-memory and how to best copy/paste/replace between peers for efficiency. Even simple things like have a good naming convention practiced does wonders, not only for how you can identify the elements when the config gets more complicated but also for ease of use when using the replace command and longer show command match strings for verifying multiple components. I think I have that down pretty well at this stage.
    Tomorrow is the last (fingers crossed) InetZero session.

    I'm pretty exhausted at the moment, you'll have seen me say it multiple times above, it's been building for quite a while now. I'm working on the single biggest and most technically complex project I've ever done at work and the trying to do this too....whinge/whine/boohoo I know :). But since this thread is not just self promotion or some robotic form I think it's important to also add the impact this level of study is having emotionally....even if it does make me look like a wuss icon_redface.gif. Thankfully the wife is dealing with the isolation well and not adding pressure there, and I am still taking some breaks (no study last night) but I will be very glad when this is done. I need a break.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Fare thee well InetZero sessions, you served me well...okay I hope they will have served me well by next Tuesday evening but if all goes to plan that was my last. Tonight was Dynamic VPN, Source/Destination/Static NAT, Screens and IDP. I spend a good deal of time on chain attacks again and think I have them definitely nailed with relationship of members vs. how to write the binding expression finally being crystal clear - I made a point of starting each SET command from just under the [security idp] stanza instead of navigating down, forcing repeated verbose commands to just drill the process in...tedious but it works....and then you have to unlearn that approach to make sure you can do it faster by navigating down efficiently. Screens and NAT were no issue, if they were at this stage I'd need to think about cancelling the trip.

    Tomorrow I want to finish the JIPS guide again and maybe do some hit and run there. I've booked friday off from work so from it through sunday will be hitting every little thing I can think of, starting with the JNCIA fast track guides and working my way up the food chain.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Last night was spent reading through the IDP and AppDOS chapter on the O'reilly book and playing around with some of the more esoteric IDP commands (sensor configurations and the like). Nothing much tbh I took it pretty east knowing I'd have a fully extra day off to work on the lab today.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Played around with schedulers, Firewall pass-through and web-authentication, remote-access VPNs and some tunnel based VPN again last night. Just finished playing around with multipoint tunnels with/without gre and OSPF...the single most important lesson there is ALWAYS check that your st0.0 MTU matches across any linked tunnels (and to be safe lower to something like 1350), or OSPF will likely never come up even though connectivity across the tunnels is good. It's an easy thing to forget and I often do on these tasks. I'm definitely preparing a "Did you...?" sheet at the start of the lab (e.g. Check MTU, Check IDP Policy was activated etc.). Since it's on the blueprint I logged into a 5600 at work and did a little on AppDOS but from what I understand the Lab is branch only and it's not supported. Still it doesn't hurt to prepare, and there's always for knowledge's sake.

    Next up I think some filter based forwarding and playing around with route-imports, I've done this quite a bit with import policies (which I much prefer) but I want to practice a little more with Rib-groups in case it comes up as a specified route sharing solution. Then perhaps some more work on IDP. I need to practice filtering the various .xml files holding group and signature information so I can use it to match for any rules using pre-existing groups/signatures. That was an issue for me initially when doing the InetZero rack sessions as a task might ask to block all HTTP attacks of a certain type/severity, I like to use my own dynamic-groups but it doesn't hurt to know how to see those parameters in the Downloadable sets from Juniper, or even just the correct syntax for the match conditions. I wrote a note on this on the last page I think so I won't repeat the file names/locations here but if you want more info the O'Reilly security book has a good write up on them in the IDP chapter.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Next thing to make sure and remember, when using an Instance-import from the inet.0 table the instance name is actually "master". I got sidetracked a little and did a lot of hit and run activities on anything that popped into my head and I did not definitely or quickly enough know the answer. Did exercises on system settings like snmp, syslog, a couple of good ones on User/Class permissions and commands, some routing with different preferences and the like.
    I had said I was done with Rack sessions, and that I was taking tomorrow off but due to a minor licensing snafu during a session last week Inetzero gave me a free session (which was nice of them since it really was minor). So I figure I'll trade hours and take off early tonight then just do a few hours tomorrow night on UTM since I don't have that on my home lab at all.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.