Monday, March 28, 2022

JUNIPER SECURITY certification

 My day job has to maintain a few juniper certifications, so I took the JNCIA-SEC exam and pass. The exam should be called juniper ATP since most the exam focus was in ATP.


The believe screenshot shows the exam objectives




One thing I found interesting is the exam did not really have a lot diagnostic or troubleshooting exhibits. Most of the items where straight forward questions & about practical use.









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

         o
      /      \ 


Posted by at No comments:

Sunday, March 13, 2022

GoGoGo goBPD for RTBH injection

 In most big enterprise and MSSP , the need exist for bgp-route-injection  for blackhole. I wrote about a opensource pyhton BGP daemon earlier,  http://socpuppet.blogspot.com/2020/12/using-yabgp-for-blackhole-injection.html. Here is goBGPD which is the next evolution for opensource routing

https://osrg.github.io/gobgp/

goBGPD is another simple means and is great if you want to inject routes. Most of the time we collect C&C and malicious address from IDS from IPS/IDS/SIEM and then run them thru a check and injector the ip.list 

Let's look at a simple configuration file


/* 192.168.1.99 is a FGT firewall fwiw




Now to craft routes,  we can do a simple for loop and read in a list of address from a file



Gobgp has a cli-cmd controller which is simple and mimic the classic legacy Merit gateD  just type gobgp --help to see your options


You can do many of everything, see just a few samples below;


disable and reenable a bgp-peer



monitor actively RIB updates







check our cfg global









If you need to drop ( withdrawn ) a address you can del all or specific prefixes




routes sent is easy just check the adj-out




Or just see bgp-neighbor establishment state



GoBGP has been around for some time and support numerous SAFI and is easy to manage for RTBH or to inject specific /32 into a firewall so uRPF and introduce failure and traffic to or from the firewall will be drop. 


A list of 1000k /32 only took me 9 seconds to advertise via goBGP on a small foot print ubuntu server and a FGT100D









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

         o
      /      \ 


Posted by at No comments:

Friday, March 11, 2022

howto send rpc cmd via junos and netconf and ssh

 Within junos you can send cmds from a list via netconf . 1st thing you need to looking at  the display xmk rpc  out for the command and then use that in your file


Here's a "show system interface"  in rpc syntax


supports-MacBook-Pro:~ ken$ cat sys

<rpc>

        <get-system-information>

        </get-system-information>

</rpc>



Here's a "show arp"  in rpc syntax


supports-MacBook-Pro:~ ken$ cat arp 

<rpc>

   <get-arp-table-information/>

</rpc>

 

You could easily just pipe the above redirect into via ssh and netconf the juniper device;

supports-MacBook-Pro:~ ken$ 

supports-MacBook-Pro:~ ken$ cat sys arp  | ssh -6  root@2001:1258:727:12::1 -s netconf



The output will be dump back in xml format;


e.g 

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/19.4R3/junos">

<system-information>

<hardware-model>mx104</hardware-model>

<os-name>junos</os-name>

<os-version>19.4R3-S11</os-version>

<serial-number>T623</serial-number>

<host-name>core1.usme</host-name>

</system-information>

</rpc-reply>

]]>]]>

<rpc-reply xmlns="urn

( output snipped ) 









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

         o
      /      \ 

Posted by at No comments:

Sunday, March 6, 2022

Large bgp community support in FortiOS

 I was working with a group that had fortigate and was not seeing large commnities. So we did some trial and testing and found out the UPDATE had the large community sent but the fortigate drops that community


e.g ( 10.10.10.2 sent standard/extended/large communities ) 


SOCPUPFGT02 # get router info bgp network 10.19.22.0/25

VRF 0 BGP routing table entry for 10.19.22.0/25

Paths: (1 available, best #1, table Default-IP-Routing-Table)

  Not advertised to any peer

  Original VRF 0

  2

    10.10.10.2 from 10.10.10.2 (10.10.10.2)

      Origin IGP metric 1111, localpref 100, valid, external, best

      Community: 1234:1234 1234:1235 5706:1111 65535:0

      Extended Community: RT:64511:1 

      Last update: Thu Mar  3 04:00:40 2022


As you can see, we have no large communities in the list. Support provide the following link that explains what BGP supported RFCs.










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

         o
      /      \ 



Posted by at No comments:
Subscribe to: Posts (Atom)