Ken Felix Security Blog: February 2021

Friday, February 19, 2021

My top things that I hate about juniper SRX firewall

My top things that I hate about juniper SRX

1: junos software updates are slow. The SRX or any juniper device as far as that goes, is extremely slow and tedious to do any software updates

2: No means to restrict concurrent -sessions per firewall policy, no means for simple deployment of GEO polices, no blacklist subscription service without additional license features

3: No means to enforce tcp-mss per firewall policy

4: packet-captures operations requires you to actually make changes to the configuration in order to do a simple pcap creation

5: No easy way to do many ipsec-tunnel creations

6: Configurations of ipsec-tunnels are tedious and time consuming process

7: Still no WCCP intercept for proxy integration. The normal junos solution for transparent use a non-WCCP solution that is a hocus pocus route-rib, filter, event monitors, and a host of other items to get it to work. JUNPR get over the fact that cisco was the previous designer and support of WCCP. WCCP is what we should have and be doing.

8: Layer2 Virtual-wirepairs are not a feature current or on any forecast

9: SDWAN is not a simple feature to deploy and requires specific srx-model and with additional license

10: Simple on board proxy for web/ftp is not available

11: AV/DLP/IPS/IDP deployment is clumsy and more difficult then other firewalls to deploy

12: PBR deployments for specific routing needs is not easily doable

13: My final item, simple server-load-balance DNAT vips are not a supported feature

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Thursday, February 11, 2021

A simple python script to insert objects into LogicMonitor

I was playing around with he LogicMonitor API interface and wanted to try myhand at pyhton script to prompt for devices

Here's what I came up with

$ cat addDeviceToLM.api2

#!/usr/bin/python

import requests

import json

import hashlib

import base64

import time

import hmac

import sys

print (sys.argv)

ipv4 = raw_input("Please enter device IPv4 address from lo0: ")

devname = raw_input("Please enter short device name e.g switch-1: ")

# echo back your data

print ipv4

print devname

#Account Info for the API keys that you generate for the user

AccessId ='jJk7cu6nwKEfs85WYv547' # you access id

AccessKey ='h267(Zr{9A{Q99948a8{cK4n7P7G7}WZ(G^)63VV' # your access token

Company = 'socpuppets' # your potal name here

#Request Info: Add a service

httpVerb ='POST'

resourcePath ='/device/devices'

# POST DATA STRING SENT TO API

data = '{ "name": "'+ipv4+'", "displayName": "'+devname+'" , "preferredCollectorId":"122", "description": "'+devname+'" , "enableNetflow":"false" }'

#Construct URL

url = 'https://'+ Company +'.logicmonitor.com/santaba/rest' + resourcePath

#Get current time in milliseconds

epoch = str(int(time.time() * 1000))

#Concatenate Request details

requestVars = httpVerb + epoch + data + resourcePath

#Construct signature

signature = base64.b64encode(hmac.new(AccessKey,msg=requestVars,digestmod=hashlib.sha256).hexdigest())

#Construct headers

auth = 'LMv1 ' + AccessId + ':' + signature + ':' + epoch

headers = {'Content-Type':'application/json','Authorization':auth}

#Make request

response = requests.post(url, data=data, headers=headers)

#Print status and body of response

print 'Response Status:',response.status_code

print 'Response Body:',response.content

YMMV But LogicMonitor will give you a warning if the data is format incorrectly of it's a duplication

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Tuesday, February 9, 2021

Fortigate as a PACfile server

I wanted to bring this post up based on a finding a few years back with a client. We had a fortigate as web-proxy and issuing a pac_file.

A client was movie their explicit proxy to a barracuda but wanted to keep the fortigate as the server for the proxy pac-file URL.

They deploy some pac file URL checker that was failing but yes the url was correct. What we found out was, the fortigate does NOT answer on a http_request_method HEAD.

It also does not provide a server header. So if your doing any PCI scan get a fail in that area, you really can't do anything about that.

example ( HEAD request always == 403 response )

No server header in response

Just some food for thought if your doing any a pac-file and using the fortigate.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Friday, February 5, 2021

HOWTO make rpc calls to acquire details from junos routers or switches

For alerts and regular maintenance action you typically need to acquire details for the state of the juniper device.

You basically need a mini-RSI that you can easily execute.

If you build a file for the collection, you can call the file up and acquire the details.

example collection file use rpc format

"cat junosroutercollection.txt"

=================SOF contents ===========================

<rpc>

<get-bgp-summary-information>

</get-bgp-summary-information>

</rpc>

<rpc>

<get-route-summary-information>

</get-route-summary-information>

</rpc>

<rpc>

<get-arp-table-information>

</get-arp-table-information>

</rpc>

<rpc>

<get-system-uptime-information>

</get-system-uptime-information>

</rpc>

<rpc>

<get-ospf-interface-information>

</get-ospf-interface-information>

</rpc>

<rpc>

<get-vpls-connection-information>

</get-vpls-connection-information>

</rpc>

<rpc>

<get-system-uptime-information>

</get-system-uptime-information>

</rpc>

<rpc>

<get-software-information>

</get-software-information>

</rpc>

<rpc>

<get-system-users-information>

</get-system-users-information>

</rpc>

<rpc>

<get-arp-table-information>

<no-resolve/>

</get-arp-table-information>

</rpc>

<rpc>

<get-interface-information>

<level-extra>descriptions</level-extra>

</get-interface-information>

</rpc>

<rpc>

<get-route-engine-information>

</get-route-engine-information>

</rpc>

<rpc>

<get-fpc-information>

<detail/>

</get-fpc-information>

</rpc>

<rpc>

<get-statistics-information>

</get-statistics-information>

</rpc>

<rpc>

<get-alarm-information>

</get-alarm-information>

</rpc>

<rpc>

<get-license-summary-information>

</get-license-summary-information>

</rpc>

<rpc>

<get-log>

<filename>messages</filename>

</get-log>

</rpc>

===================================================

Now to execute just cat and pipe the details thru netconf

e.g

cat <filename> | ssh <username>@<x.x.x.x> -s netconf

You can get creative and pipe thru mail

cat <filename> | ssh <username>@<x.x.x.x> -s netconf | mailx -s collection noc@yourdomain.net

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Wednesday, February 3, 2021

Giving the BIRD ( bgp )

Here's a simple bird bgp conf if you remember a post that I made a few years back

Ken Felix Security Blog: Giving the Bird to Pfsense OpenBGD (socpuppet.blogspot.com)

Will it's 6+ years later and I'm setting up a bird bgp router for diagnostics and testing.

router id 0.0.0.1 ;

protocol device {

scan time 10;

}

protocol kernel {

persist;

learn;

import all;

export all;

}

protocol bgp SOC{

local as 5706 ;

neighbor x.x.x.x as 23352;

import all;

export none;

preference 160;

hold time 6;

}

More to come.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \