|
Keeping the firewall chat going, is everyone doing UTM type stuff from the edge, or maybe something at the client level? I'm going to replace se old Juniper SRX 240 (6 in total, 3 sites) soon. Trying to decide on going with something other than Juniper.
|
# ? Nov 23, 2019 08:49 |
|
|
# ? Apr 26, 2024 12:56 |
|
We have a bunch of ASAs and Firepowers and I hate them. Maintaining the firewalls for a company of seven offices and one datacentre shouldn't make me lust for nuclear death. We sell better products, so... I don't know why we keep running the FTDs. Our preferred solution is "throw the whole Cisco security stack at it". It seems to work well for our clients... edge security is Firepower magic, internal security is handled by AMP and ISE. What are you looking to accomplish other than just "refresh our firewalls"? I work for a multi-vendor VAR so I can poke some of our SEs and pick their brains.
|
# ? Nov 23, 2019 11:47 |
|
Moey posted:Keeping the firewall chat going, is everyone doing UTM type stuff from the edge, or maybe something at the client level?
|
# ? Nov 23, 2019 14:27 |
|
Moey posted:Keeping the firewall chat going, is everyone doing UTM type stuff from the edge, or maybe something at the client level? If you already know SRX I think they do UTM stuff now too.
|
# ? Nov 23, 2019 17:01 |
|
Isn't trying to do security at the edge pretty much a dead end now that everything is encrypted and TLS 1.3 is coming along? I guess you still want a way to keep an eye on the traffic and ensure that DNS ports are being used for DNS traffic, stop machines communicating with known botnet command & control servers etc. but from my admittedly limited perspective it seems like trying to do full MITM inspection of traffic at the insane speeds that are available for relatively low costs, and keeping up with the number of applications that use cert pinning is a way to constantly be busy.
|
# ? Nov 23, 2019 17:26 |
|
I've never been a believer in UTM at the edge. Let the edge do network level security IP/Port/NAT, and generally just coarse black listing. If you want MITM and application security then do it on the client.
|
# ? Nov 25, 2019 01:15 |
|
Re: earlier thing looking for software updates, I found an alternative source with updates as recent as this summer for a broad range of devices (and the hashes I checked against cisco's site all matched). Not sure if linking in here would be so ... DM me if anyone wants that? I feel like I'm very close to having everything working with the 891fw for my home network, but it seems like wireless clients (and the ap itself, fwiw, when i session into it) can't get packets to the outside world (e.g. ping google). I'm sure it's probably some terrible newbie mistake but extensive googling around and poking on my part has thus far been unsuccessful. Anyone have possible suggestions? (Is there a better way to share these configs than pastebombing in here? e.g. can I trim all the "!" lines?) Note on configs: at present the 891fw's wan interface is plugged into my current router and grabbing dhcp from it while I dork around with it via console cable from one of my linux machines. The existing LAN is 192.168.3.0/24, the new LAN will be 192.168.30.0/24. So for example re: problem description above, from the router's console I can ping 192.168.3.1 just fine (and google et al.), but while I can ping 192.168.30.1 ok from the AP console/wireless clients, I can't ping 192.168.3.1. Wireless clients get .30.x dhcp addresses just fine from the 891. 891fw's (truncated) sh ver: code:
code:
code:
volkadav fucked around with this message at 04:24 on Nov 29, 2019 |
# ? Nov 28, 2019 21:43 |
|
found the problem; if anyone else stumbles on this in the future I needed to add "zone-member security inside" on vlan1:code:
|
# ? Nov 29, 2019 04:29 |
|
Been experiencing a weird issue since I upgraded my Catalyst 2960CX to v15.2(7)E, hoping maybe someone has seen it before: object-group's in extended ACLs don't match when said ACL is used in line vty access-class. Here's what was configured and working prior to upgrading: code:
code:
code:
|
# ? Nov 30, 2019 14:14 |
|
Pile Of Garbage posted:
I had a similar issue recently, remove the ACL from the config then re-add it, if that doesn't work remove the line vty as well and re-add; that fixed the issue I was having and it was a very similar lead up that you had, I did an upgrade to possibly the same version or the one before.
|
# ? Nov 30, 2019 16:23 |
|
MF_James posted:I had a similar issue recently, remove the ACL from the config then re-add it, if that doesn't work remove the line vty as well and re-add; that fixed the issue I was having and it was a very similar lead up that you had, I did an upgrade to possibly the same version or the one before. Cheers thanks mate I'll give that a go. Edit: no dice. Removed the line, ACL and object-group then recreated but the same issue occurred. Pile Of Garbage fucked around with this message at 17:20 on Nov 30, 2019 |
# ? Nov 30, 2019 16:44 |
|
Prescription Combs posted:Old as poo poo topic but unless you absolutely need to capture every connection to syslog, enable syslog permit host down or that ASA will block all traffic if that syslog server goes down. Yeah I found this out the hard way. That’s such a stupid default setting, especially in an environment that patches servers every week.
|
# ? Dec 1, 2019 19:28 |
|
Speaking of ASA and syslog, how does one get ASA's to stop syslogging things about every rule? Stuff like: Jul 16 00:00:06 fw-hostname.example.net %ASA-2-106006: Deny inbound UDP from 10.3.6.20/61266 to 10.180.20.232/161 on interface inside Jul 16 00:00:06 fw-hostname.example.net %ASA-4-400011: IDS:2001 ICMP unreachable from 184.61.208.148 to 4.213.112.161 on interface outside Jul 16 00:00:05 fw-hostname.example.net %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:4.213.111.132 dst identity:4.213.112.1 (type 3, code 10) on outside interface. Original IP payload: udp src 4.213.112.1/514 dst 4.213.111.132/514. I tried to find settings to calm this down a while back, gave up. I ended up having to filter out all asa logs from my syslog server because it was all crap I didnt care about. Really all I want are router-like things, like people logging in, command logging if possible, and actual real alarms like power supply or fan fissues.
|
# ? Dec 1, 2019 19:45 |
|
falz posted:Speaking of ASA and syslog, how does one get ASA's to stop syslogging things about every rule? Stuff like: Can’t you just adjust the logging to some other threshold? https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#95407 Verbose logging actually saved my rear end with our CIO because a third party vendors monitoring device got infected because they left it with default creds and demanded I open up ssh to the public. The thing was bringing our biggest site down for like 2 weeks until I stood up the logging server and found that. I have zero respect for executives but he is rightfully nervous about things after this year of infrastructure failures. Also after we sent their device back they let me know that port 22 actually didn’t need to be open so that was pretty fuckin cool.
|
# ? Dec 1, 2019 20:05 |
|
Tetramin posted:Can’t you just adjust the logging to some other threshold? https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#95407 logging asdm critical logging buffered critical and emergencies (lowest level). buffered seems to affect the local log buffer (`show log`) but neither affects syslog server, and I don't see these type of options as flags of `logging host <1.2.3.4>'. On top of that, ASA seems to think that the types of log messages i posted are in the 'critical' category, and I... disagree.
|
# ? Dec 1, 2019 20:26 |
|
You can disable individual message IDs, but I’m not sure about disabling for a specific rule. Might have to filter them at the syslog server. https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html#wp1071301
|
# ? Dec 1, 2019 23:23 |
|
WT Wally posted:You can disable individual message IDs, but I’m not sure about disabling for a specific rule. Might have to filter them at the syslog server. I guess I could add a hundred lines to the config to ignore things. Seems weird to me that there's not just a flag like 'log IPS stuff' to turn off, and it's on by default. My current "fix" is filtering them on the rsyslogd side, but that too is brute force as I'm filtering *everything* from based on hostname matching. Anyway, ASAs are lame.
|
# ? Dec 2, 2019 02:51 |
falz posted:I guess I could add a hundred lines to the config to ignore things. Seems weird to me that there's not just a flag like 'log IPS stuff' to turn off, and it's on by default. This is the answer quote:Anyway, ASAs are lame. Yep
|
|
# ? Dec 2, 2019 14:52 |
|
I ended up doing this, which got 99% of the cruft, but leaves important stuff like commands that users type. Annoyingly though it shows the command class (enable_15) instead of the username. oh well.code:
|
# ? Dec 2, 2019 15:13 |
falz posted:I ended up doing this, which got 99% of the cruft, but leaves important stuff like commands that users type. Annoyingly though it shows the command class (enable_15) instead of the username. oh well. It does that whenever you use enable. Set priv level 15 for admin users and auto enable on login so they don’t need to enable (which switches executed commands from their user to being run as “enable_15”) If priv level is already set then running “login” instead of enable will let you elevate to 15. Setting ASA to work right with full AAA/logging and fail back to local is a giant pain in the rear end
|
|
# ? Dec 2, 2019 15:22 |
|
Been a while since I had to do a BGP build from scratch. I'm wondering what the best way to build this design would be. I have two external bgp routers that talk to two internal bgp routers. There's no cross communication between router 1's and router 2's, it's all 1:1, 2:2. The goal is to have the default route advertised from external to internal, where internal knows it can go "Upstream" to external or across to it's neighbor internal router. Wondering if I should use iBGP everywhere, or eBGP everywhere, confederacies, etc.. There will never be a 3rd internal bgp router, but there may be more than 2 externals in the future Edit: no BGP with "internet". the external routers are just doing bgp internally. Edit2: Plan so far is to do iBGP with the internal routers being route reflectors. Sepist fucked around with this message at 16:30 on Dec 2, 2019 |
# ? Dec 2, 2019 15:42 |
|
Definitely no to confederations. Singla AS iBGP with inline RR between the Internal Routers is probably the cleanest solution here. It sounds like you don't want multipathing to 0/0.
|
# ? Dec 2, 2019 16:36 |
|
tortilla_chip posted:Definitely no to confederations. I do want multipathing, each internal router is going to ECMP upstream or over to it's internal router neighbor to send upstream from there. But yea RR on internal seems to be the right call here
|
# ? Dec 2, 2019 16:46 |
|
Because you're just doing default routes - you don't want to run BGP, just run OSPF and you get all the benefits of doing per-link costing and the like. Raise the link cost of Int1-Int2 (you probably don't even need to do that in such a simple setup) so that Internal Router 1 uses External 1 as it's primary gateway, and Int2 uses Ext2 as it's primary. Failures are covered nicely when the uplink route (that is redistributed) from an external router/firewall is gone (assuming you're tracking it). Using BGP you'd need start doing weightings and the like which would be more complicated and in the future a pain to start dealing with. Edit: Oh, you need ECMP and want active balancing of uplinks. Are you doing NAT on the external routers?
|
# ? Dec 2, 2019 16:51 |
|
unknown posted:Edit: Oh, you need ECMP and want active balancing of uplinks. Are you doing NAT on the external routers? No NAT. Also the "external" routers aren't peering with anyone else besides internal routers. They just advertise a quad 0 Sepist fucked around with this message at 16:56 on Dec 2, 2019 |
# ? Dec 2, 2019 16:54 |
|
FYI, If you're not doing NAT, and you're not doing BGP (or some kind of 2way dynamic failure checks like BFD) with your internet provider(s), you've likely got a serious failure (blackhole type) on those links. There's no reason to run RRs - this is 4 routers (with growth to 6?) and 2-4 default routes (not 100k+), easily manageable with a bog standard mesh deployment at this point. You're not going to get ECMP in your setup because your base links are unequal from the get go (2 hops to the far side, 1 to local side). You need links: Ext1 to Int1, Ext1 to Int2, Ext2 to Int1, Ext2 to Int2. If this is a multi-location setup, with Int1-Int2 being a long/MAN link - then a simple OSPF setup I said before is the way to go.
|
# ? Dec 2, 2019 17:15 |
|
This is an AWS deployment so it's a bit non-traditional. The externals point to a IGW via default route so there's no fault tolerance for me to deal with there. I can't (easily) peer full mesh because of the different availability zones of the routers. I can get ECMP at the internal routers by doing AS Path rewrite on the cross AZ peering
|
# ? Dec 2, 2019 17:25 |
|
Sepist posted:This is an AWS deployment so it's a bit non-traditional. The externals point to a IGW via default route so there's no fault tolerance for me to deal with there. I can't (easily) peer full mesh because of the different availability zones of the routers. I can get ECMP at the internal routers by doing AS Path rewrite on the cross AZ peering Ooooh, yeah, the fun of AWS. I'll bow out of the conversation - I've only played with it enough to know that if you're attempting to apply normal/conventional networking to a setup there you can be in for a bunch of weird hurt (also some very interesting speed limitations on a per-server type). My knowledge limits to "do it Amazon's way" and let them manage your networking (although that costs a ton more).
|
# ? Dec 2, 2019 18:09 |
|
Actually my whole design was just blown up. The "External routers" are actually palo alto's and they are very...restrictive about dynamic protocols over DHCP interfaces. Just gonna have to use static routing with lambda's to withdraw routes from the FRR instances.
|
# ? Dec 2, 2019 18:33 |
|
Sepist posted:This is an AWS deployment so it's a bit non-traditional. The externals point to a IGW via default route so there's no fault tolerance for me to deal with there. I can't (easily) peer full mesh because of the different availability zones of the routers. I can get ECMP at the internal routers by doing AS Path rewrite on the cross AZ peering Just out of curiosity - if this is AWS, why would you try to do ECMP (instead of active/passive failover)? The bandwidth generally isn't a limiter, and you just get billed for usage, so I'd assume less complexity would be an advantage. (Unless you're talking about enough bandwidth that it is a limiter...)
|
# ? Dec 2, 2019 19:25 |
|
Firewalls have an upper limit of inspection bandwidth. We have them tied to cloudwatch metrics to kick off autoscale events when thresholds are met. This lets us handle a lot of east-west at a manageable cost. The FRR routers can do 10s of gigs without fuss but palos get expensive after the first 1.5 gigs eg: A palo capable of 8 gigs is about 40k/yr, whereas 4 small palos each doing 2 gigs is much cheaper and providers HA Sepist fucked around with this message at 20:01 on Dec 2, 2019 |
# ? Dec 2, 2019 19:54 |
|
Makes perfect sense - in your case, bandwidth is a limiter (monetary wise)!
|
# ? Dec 2, 2019 20:09 |
|
falz posted:I guess I could add a hundred lines to the config to ignore things. Seems weird to me that there's not just a flag like 'log IPS stuff' to turn off, and it's on by default. There is. code:
|
# ? Dec 3, 2019 03:06 |
|
ragzilla posted:There is. code:
code:
|
# ? Dec 6, 2019 14:36 |
|
The company I'm working for just bought a bunch of shiny new Juniper 10003 PTXs that we intend to use for MACsec and setup an MPLS backbone. Right now they are sitting in our systems integration facility. I've been tasked with setting up a validation plan for these things. Not so much testing every port or doing a bandwidth test or whatever (I trust Juniper Quality Control over whatever we could do), but "proofing" and validating them. Things like checking the amount of memory, installing the proper code, etc. Anyone have anything like that in their environment that I could crib from? For context we will be running about 45 of these routers through that process plus any future RMA's, so I want to make sure it's useful, consistent, and not too time consuming.
|
# ? Dec 6, 2019 16:58 |
|
Do you already run Junos on your network? We do, and when we have a new Junos product of any type (different MX model, QFX model, EX model, etc) I always * Check if our existing configuration standards work * Check if the things you wan to do actually work - BGP, MPLS, LDP, OSPF, BFD, etc etc * Setup your lab like production, configure the interfaces to be how you want, tweak MTU, etc * Ensure your monitoring systems see the data you want over SNMP or whatever. Things like traffic on vlan subinterfaces, routing protocol stuff, DOM per lane on opptics, and so on. * Test OS upgrades and downgrades, as well as powering off device to simulate power outage. Figure out how to drop to the linux shell. Figure out how to install Junos from USB and keep a USB drive attached to help with that just in case. Basically test everything you want to use, just because it's on the spec sheet doesn't mean it's going to work. I always start with the current Junos recommended version and then bounce some questions off of your Juniper reps about when the next service release is coming out for bugfixes (and new bugs!) and if you need bleeding edge (Junos 19) for any particular features. We keep config standards per juniper model as well, for example you need a different: * lo0 RE protect filter between MX, Q5 (your ptx), Qfx5k (broadcom), and so on. * different class-of-service rules for above models We've had Q5 based QFX10002 in production for a bit and it's been smooth sailing lately, but early on we had issues getting vlans provisioned through that a simple reboot fixed. ¯\_(ツ)_/¯ Side note, Juniper was going to release that model switch as QFX10003 as well, but at the last moment this year ditched it and now everything will cost 10x more for the same features that we need. Sucks.
|
# ? Dec 6, 2019 19:23 |
|
Thanks. I've already done a few of those and yea my ansible environment already breaks out our Juniper's by model type. Currently just SRX and PTX with custom security stuff (Lo0 ACLs, firewall policies, etc) common stuff (root password, usernames, logging, etc) and finally site and host specific configs.
|
# ? Dec 6, 2019 22:45 |
|
Tetramin posted:Yeah I found this out the hard way. That’s such a stupid default setting, especially in an environment that patches servers every week. "Why does our internet/vpn connectivity always go down when the syslog server patches?!"
|
# ? Dec 11, 2019 06:13 |
|
This bug is getting exploited again, time to upgrade ASAs if you're being affected: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi16029/ Good to know it wasnt hardware that was causing one of our ASAs to keep reloading.
|
# ? Dec 20, 2019 16:26 |
|
|
# ? Apr 26, 2024 12:56 |
|
Yep, had to upgrade the firewalls at every one of our sites in the middle of the day yesterday. Except for the newest one, which makes this the first time I've ever been appreciative of FTD code.
|
# ? Dec 20, 2019 18:01 |