Another useful SRX command for looking at IPSec tunnels

This is a new one on me – obviously I’ve not been paying much attention since it has been around since 10.2!

On 12.1X45-D15.5 the counters for packets/bytes all show zero, but at least you can see that your tunnel is up and what the various parameters in use are…  See below:

imtech@srx650-1-POD1> show security flow session tunnel extensive 
Session ID: 38046, Status: Normal
Flag: 0x10000
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN, 
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 105905, Duration: 52592
 In: 10.1.0.9/49698 --> 10.1.0.1/27622;esp, 
 Interface: ge-2/0/13.0, 
 Session token: 0xa, Flag: 0x100621
 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0
 Port sequence: 0, FIN sequence: 0, 
 FIN state: 0, 
 Pkts: 0, Bytes: 0

Session ID: 38047, Status: Normal
Flag: 0x10000
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN, 
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 105905, Duration: 52592
 In: 10.1.0.9/0 --> 10.1.0.1/0;esp, 
 Interface: ge-2/0/13.0, 
 Session token: 0xa, Flag: 0x621
 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0
 Port sequence: 0, FIN sequence: 0, 
 FIN state: 0, 
 Pkts: 0, Bytes: 0
Total sessions: 2

Another useful SRX command for looking at IPSec tunnels

This is a new one on me – obviously I’ve not been paying much attention since it has been around since 10.2!

On 12.1X45-D15.5 the counters for packets/bytes all show zero, but at least you can see that your tunnel is up and what the various parameters in use are…  See below:

imtech@srx650-1-POD1> show security flow session tunnel extensive 
Session ID: 38046, Status: Normal
Flag: 0x10000
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN, 
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 105905, Duration: 52592
 In: 10.1.0.9/49698 --> 10.1.0.1/27622;esp, 
 Interface: ge-2/0/13.0, 
 Session token: 0xa, Flag: 0x100621
 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0
 Port sequence: 0, FIN sequence: 0, 
 FIN state: 0, 
 Pkts: 0, Bytes: 0

Session ID: 38047, Status: Normal
Flag: 0x10000
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN, 
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 105905, Duration: 52592
 In: 10.1.0.9/0 --> 10.1.0.1/0;esp, 
 Interface: ge-2/0/13.0, 
 Session token: 0xa, Flag: 0x621
 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0
 Port sequence: 0, FIN sequence: 0, 
 FIN state: 0, 
 Pkts: 0, Bytes: 0
Total sessions: 2

Useful SRX debugging blog

Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP].   But otherwise, this is a very useful set of instructions.

It doesn’t mention that you should observe the lifetime of the IKE and IPSec security associations, and also keep an eye on the SA index or ID.  If the index number keeps changing, it means your tunnel is going down and coming back up all the time.   If the lifetime regularly starts again at the maximum value and does not count down to zero steadily, this indicates the same thing.

Particularly interesting is the way the author splits out the sections on troubleshooting the packet flow within the VPN, versus the packet flow of the VPN crypto itself.  I’ve not used packet-filters in flow debug before, so will definitely be trying that out.

Link to SRX debug article at fir3net.com


Useful SRX debugging blog

Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP].   But otherwise, this is a very useful set of instructions.

It doesn’t mention that you should observe the lifetime of the IKE and IPSec security associations, and also keep an eye on the SA index or ID.  If the index number keeps changing, it means your tunnel is going down and coming back up all the time.   If the lifetime regularly starts again at the maximum value and does not count down to zero steadily, this indicates the same thing.

Particularly interesting is the way the author splits out the sections on troubleshooting the packet flow within the VPN, versus the packet flow of the VPN crypto itself.  I’ve not used packet-filters in flow debug before, so will definitely be trying that out.

Link to SRX debug article at fir3net.com


How texting a Corvette could stop it in its tracks

As if recent research on car hacking wasn’t frightening enough, a new study shows yet another danger to increasingly networked vehicles.This time around, academics with the University of California analyzed small, third-party devices that are sometimes plugged into a car’s dashboard, known as telematic control units (TCUs).Insurance companies issue the devices to monitor driving metrics in order to meter polices. Other uses include fleet management, automatic crash reporting and tracking stolen vehicles.In order to collect vehicle data, TCUs have access to the electronic brain of an automobile, the CAN (Controller Area Network) bus, which transmits and receives messages from many vehicle systems. The TCUs also have SIM cards, which give them cellular network connectivity in order to send information.To read this article in full or to leave a comment, please click here

Twitter sees surge in government requests for account information

Twitter has seen an increase in government demands for account information in the first half of this year, with the U.S. followed by Japan topping the list for such requests.The increase is the largest ever seen between reporting periods by Twitter, wrote Jeremy Kessel, Twitter’s senior manager for global legal policy, in a blog post Tuesday.The Transparency Report from the company indicated that government requests for account information in the first half were 52 percent more and affected 78 percent more account holders than in the second half of last year.The scope of the report has been expanded to include information on notices of alleged trademark violations and a section where users can check how different email providers handle the privacy and encryption of email messages from Twitter.To read this article in full or to leave a comment, please click here

A Second Look at APNIC and IPv4 Address Exhaustion

It has been said often enough that its easy to make predictions; the tough part is getting them right! And in trying to predict the manner that APNIC will exhaust its remaining supply of IPv4 addresses I’m pretty sure that I did not get it right in the most recent article on this topic. So I’ll try and correct that in a more detailed look at the situation.

More PIM-BiDir Considerations

Introduction

From my last post on PIM BiDir I got some great comments from my friend Peter Palúch. I still had some concepts that weren’t totally clear to me and I don’t like to leave unfinished business. There is also a lack of resources properly explaining the behavior of PIM BiDir. For that reason I would like to clarify some concepts and write some more about the potential gains of PIM BiDir is. First we must be clear on the terminology used in PIM BiDir.

Terminology

Rendezvous Point Address (RPA) – The RPA is an address that is used as the root of the distribution tree for a range of multicast groups. This address must be routable in the PIM domain but does not have to reside on a physical interface or device.

Rendezvous Point Link (RPL) – It is the physical link to which the RPA belongs. The RPL is the only link where DF election does not take place. The RFC also says “In BIDIR-PIM, all multicast traffic to groups mapping to a specific RPA is forwarded on the RPL of that RPA.” In some scenarios where the RPA is virtual, there may not be an RPL though.

Continue reading

Mobile banking apps in developing nations have weak security

The developing world is increasingly using mobile banking apps to move money, but new research shows those apps are often poorly coded and pose security risks.Researchers with the University of Florida looked at dozens of apps used for mobile money systems but extensively analyzed seven that have millions of users in Brazil, India, Indonesia, Thailand, and the Philippines.The problems they found represent a large attack surface, including SSL/TLS issues, botched cryptography, information leakage and opportunities to manipulate transactions and modify financial records.The impact of the problems is unknown, but “it is possible that these apps are already being exploited in the wild, leaving consumers with no recourse to dispute financial transactions,” according to their research paper, to be presented on Wednesday at the 24th USENIX Security Symposium in Washington, D.C.To read this article in full or to leave a comment, please click here

Four knowns and four unknowns in Google’s Alphabet soup

When Google announced on Monday that it would create a new holding company called Alphabet, of which Google Inc. will be just one part, Larry Page said the new structure would allow the company to get more ambitious things done. But there was still a lot that he didn’t say.The move should free up time for Page and Sergey Brin to focus on Google’s forward looking projects like self-driving cars, and allow other leaders, like Sundar Pichai, to take care of the core businesses. It should also provide a bit more transparency for Google’s investors, allowing them to see better how those core businesses are performing.But there are questions too, about how Alphabet will evolve and which other companies might get their own CEOs. Here are four knowns and unknowns about what happened yesterday.To read this article in full or to leave a comment, please click here

Four knowns and four unknowns in Google’s Alphabet soup

When Google announced on Monday that it would create a new holding company called Alphabet, of which Google Inc. will be just one part, Larry Page said the new structure would allow the company to get more ambitious things done. But there was still a lot that he didn’t say.The move should free up time for Page and Sergey Brin to focus on Google’s forward looking projects like self-driving cars, and allow other leaders, like Sundar Pichai, to take care of the core businesses. It should also provide a bit more transparency for Google’s investors, allowing them to see better how those core businesses are performing.But there are questions too, about how Alphabet will evolve and which other companies might get their own CEOs. Here are four knowns and unknowns about what happened yesterday.To read this article in full or to leave a comment, please click here

Microsoft patches Windows 10, Edge, 4 critical holes, 2 exploits in the wild

Well, well, Patch Tuesday is not yet dead as Microsoft released 14 security bulletins, four of which are rated critical for remote code execution vulnerabilities; the August 2015 security updates are aimed at Windows, Microsoft Office, Internet Explorer, Edge, Microsoft Lync, Microsoft Silverlight and .Net Framework. One of the patches rated critical (MS15-081) and one rated important (MS15-085) are fixes for exploits detected in the wild.To read this article in full or to leave a comment, please click here

A nice SRX command I’ve never come across before

Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:

imtech@srx220-1-POD3> show security policies hit-count 
Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       VR3a             VR3b              P1             0            
 2       VR3a             untrust           3to1VPN        8320         
 3       VR3a             untrust           P1             3249         
 4       VR3b             VR3a              P1             0            
 5       VR3b             untrust           P1             0            
 6       untrust          junos-host        P1             8            
 7       untrust          VR3a              1to3           5523         
 8       untrust          VR3a              P1             5            
 9       untrust          VR3b              permit-to-3b   0            
 10      untrust          VR3b              DEFAULT-DENY   16

A nice SRX command I’ve never come across before

Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:

imtech@srx220-1-POD3> show security policies hit-count 
Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       VR3a             VR3b              P1             0            
 2       VR3a             untrust           3to1VPN        8320         
 3       VR3a             untrust           P1             3249         
 4       VR3b             VR3a              P1             0            
 5       VR3b             untrust           P1             0            
 6       untrust          junos-host        P1             8            
 7       untrust          VR3a              1to3           5523         
 8       untrust          VR3a              P1             5            
 9       untrust          VR3b              permit-to-3b   0            
 10      untrust          VR3b              DEFAULT-DENY   16

Will stock, hiring surge at a more transparent Google?

Google's restructuring could finally deliver to Wall Street something it's been after for years: more insight into what the company is spending on things like Nest, drones and health research.If that happens, it could boost the company's flat stock and entice the best engineers and tech workers to bypass the likes of Netflix and Facebook to sign up with the new Alphabet.+ ALSO ON NETWORK WORLD Meet Sundar Pichai, Google's new CEO +"Overall, we view the new structure as an elegant way for Google to continue to pursue long-term, life-changing initiatives, while simultaneously increasing transparency and management focus in the core business," wrote Doug Anmuth, an analyst with J.P. Morgan, in a report released Monday. "From a financial perspective, we believe the Street will soon be better able to evaluate the true performance of core Google, and may also become more accepting of Google's ongoing investment in emerging businesses such as Nest, Fiber, and driverless cars."To read this article in full or to leave a comment, please click here

Windows 10 gets its first set of security patches

Released almost two weeks ago, the new Windows 10 operating system already has its first set of security patches.For August, Microsoft’s monthly round of security patches contains five bulletins that cover Windows 10, as well as a bulletin that covers the new Edge browser that runs on Windows 10.Overall, Microsoft released 14 security bulletins for this month’s Patch Tuesday—which occurs on the second Tuesday of each month.Three of the bulletins were marked as critical, meaning that they should be patched as quickly as possible. A bulletin typically contains a set of patches for a single set of software products, such as all the supported versions of Windows.To read this article in full or to leave a comment, please click here

DARPA wants to transform vacuum electronics for superior communications, data transmissions

The notion of vacuum electronics may sound ancient in high-tech terms but a new program from the scientists at the Defense Advanced Research Projects Agency aims to transform the widely-used equipment into the next century.According to DARPA, vacuum electron devices (VEDs) are critical components for defense and civilian systems that require high power, wide bandwidth, and high efficiency, and there are over 200,000 VEDs currently in service.+More on Network World: DARPA wants to make complex 3D printing trustworthy, dependable, safe+To read this article in full or to leave a comment, please click here

1 3,312 3,313 3,314 3,315 3,316 3,791