JNCIS-SEC

Recently I passed the Juniper Networks Certified Specialist - Security exam, JNCIS-SEC.

I spent several months studying off and on for the exam and finally bit the bullet and wrote it.

The exam was straight forward with only multiple choice questions.  The exam solely covers the SRX series of security gateways.  If you study the Fast Track guides provided by Juniper you should be able to pass with little issue.

Fortunately for me, the company I am employed by is under going a significant infrastructure upgrade which involved implementing Juniper SRX550 firewalls in a chassis cluster configuration.  This allowed me to get significant hands on experience with the SRX and all of it's security features.

The major plus about Juniper certifications is that only one exam is required to obtain a certification unlike other vendors who require multiple exams.

For prepartion I used the Fast Track study guides available for free on Juniper's website and the SRX Series book by O'Reilly along with hands on experience.

Juniper provides a pre-assement test on their website.  If you pass it, you receive a 50% discount voucher for the exam.

Juniper doesn't have the market share that Cisco and other vendors may have.  However, their devices offer significant advantages and features that other vendor's don't.  Also, Juniper is well known in the service provider sector.

Having knowledge and experience with Juniper and/or other vendors will give you a niche advantage that others won't have.

Coming from a Cisco background myself, I prefer Juniper due to the bang for your buck that you get.  Juniper offers features on their low-end to mid-range products that other vendor reserve for their higher end products.  Also, Junos offers several advantages over Cisco IOS such as batch configuration, automatic archiving of configurations and the ability to rollback to a previous configuration to name a few.

Networking isn't my career focus but it's an area that I do enjoy working in and you can't get really far in the IT field without having at least some basic networking knowledge.

Why You Should Enable Logging On Your Firewall Rules.

Recently I encountered an issue where malware had infected a client's machine and began sending out spam to various mail servers on the Internet.  I had encountered this same issue a few years ago with another client.

In both cases the infected machine was found by checking or enabling logging on a security policy/rule in place on the firewall at the edge of the network.

In prior mentioned incident, a rule was created to permit and log and SMTP traffic.  After this was done, the logs showed the source IP addresses of all SMTP traffic, including the infected machine.  The allowed the machine to be identified and removed from the network.  In the later case the firewall had a IPS component that was running in log only mode that allowed the offending machine to be identified.

Both cases showed the importance of logging traffic on firewall rules/security policies.  It is also a best practice to forward all logs to centralized logging server running syslog, Splunk, logstash/elasticsearch, a SIEM or some other log correlation software so that logs can be analyzed and even have alerts generated from logged events.

Using Python To Prevent A System Crash

An issue with a critical server had been plaguing the IT department for upwards of a year without any resolution.

The issue stemmed from the server running out of virtual memory thus resulting in a crash.  This would happen every month or so.  The IT staff on board at the time were unable to find the cause of the issue and resorted to rebooting the server during the monthly maintenance window as a fix.

The server was running CentOS 6.3 and was being monitored using Nagios.

Shortly after I came aboard I found the following in the syslog file (/var/log/messages) after a crash by cross referencing the time Nagios reported the server being unavailable:

Sep 27 03:34:47 sit-admin kernel: smbd invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0
Sep 27 04:03:55 sit-admin kernel: smbd invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0
Sep 27 04:03:55 sit-admin kernel: smbd invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0

The aforementioned error was a result of a memory leak in the version of Samba running on the server.  The error stems from the smbd daemon creating a new process every time a connection is attempted, successful or not.

The Linux kernel allows processes to request virtual memory whether there is enough memory available or not.  The kernel has a function called Out-Of-Memory Killer (oom-killer) that will kill processes that are of lower priority in order to keep the system running.

After many connections there were over 100 orphaned smbd processes on the system, thus exhausting memory and crashing the system.

Do to some (mis)configuration issues on a another person's part, we were unable to update the version of Samba in a straight forward manner. 

In order to circumvent further crashes I wrote a Python script that checks the for the amount of swap space available will restart the Samba daemon (or whatever daemon you specify) if the amount below the specified value.

The script can be found here.  I scheduled the script to run as cron job and no further crashes have occurred.

VMware Certified Professional - Data Center Virtualization

Recently I began the VMware vSphere : Install, Configuration, Manage course which is one of prerequisite courses required in order to take the VCP5-DCV exam.

The VCP5-DCV certification covers installing, configuring and managing a vSphere 5 environment with vCenter. 

Anyone with any experience with VMware or virtualization in general knows that the VCP5 is a very sought after and respected certification.

I had the opportunity to take the course at an extremely discounted rate so I took advantage of it right away.  The course covers the majority of the exam content, but not all.  So significant self-study and lab work is required in order to pass the exam.

The study materials I am using to supplement the course are as follows:

• The Official VCP5 Certification Guide
• Mastering VMware vSphere 5.5
• VMware vSphere 5.1 Documentation

 In order to fully cover the topics on the exam and gain hands on experience a lab is required.

There are two main options for building home lab.  First, build a physical lab consisting of physical ESXi hosts, shared storage and then virtualize the rest of the infrastructure.  Second, build a nested lab consisting of a fully virtualized infrastructure.  I chose the latter.

Since I already had a physical host running ESXi 5.1, I chose to virtualize my vCenter, iSCSI SAN, and domain controller.

I utilized FreeNAS for the iSCSI SAN.  It is simple and straight forward to setup and does the job very well.

Due to the limitation of the CPU in my ESXi 5.1 server, I had to elect to run the ESXi 5.5 hosts in VMware Workstation on my desktop which is capable of nested virtualization.  With this setup I am able to run a full vCenter environment along with virtual machines.

Here are some sample screen shots and a simple network diagram:

 

Juniper Networks Certified Associate (JNCIA) - Junos

Today after a long period of study I passed the JN0-102 exam and earned the JNCIA - Junos certification.  This is my first Juniper certification and will surely not be my last.

The JNCIA - Junos the first in the Junos certification track from Juniper.  It is the precursor to the JNCIS, JNCIP and JNCIE certifications in the Enterprise, Security and Service Provider certification tracks.

During my preparation for the exam, Juniper updated the JN0-101 exam to the JN0-102, removing some topics and introducing others.  I chose to take the JN0-102, which I shouldn't have since I hadn't studied the new topics thoroughly enough. 

I made the decision to take the JN0-102 based on the fact that Juniper had said the study materials for the old and new exams were the same and the exams were very similar.  However, once reading the detailed exam topics the night before the exam I learned otherwise.

I managed to pass the exam, but I know I would have done better on the JN0-101 exam.

Some topics the exam covers are routing, Junos operation, and subnetting.

Some of the resources I used for preparation are as follows;

• JNCIA-Junos study guides available for free from Juniper's Learning Portal
• Junos OS For Dummies
• Junosphere along with Juniper's Day One guides

The exam was straight forward with no real trick questions.

The Junos platform is more powerful and flexible to Cisco IOS in my opinion.  Features such as automatic archiving of configurations to a remote server, scheduled committing of configuration and the ability to rollback configurations to prevent locking one's self out of a device are some key features that I like.  The configuration syntax and methodology takes sometime to get used to if you're coming from a Cisco background and the Juniper equivalent to a Cisco configuration is usually longer.  But once you get used to it, you'll appreciate the power of Junos. 

For those thinking of taking the exam, be sure to take and pass the Pre-Assesment test on Juniper's website.  Once doing so you'll be given a 50% discount voucher code for the exam.

Parsing a Configuration File Using Bash

Here's a simple way to use a configuration file with a Bash shell script.

#Specify configuration file at command prompt
CONF_FILE=$1

#Read variables from conf file
ADDRESS=$(grep ADDRESS $CONF_FILE | awk -F= '{ print $2 }')
USERNAME=$(grep USERNAME $CONF_FILE | awk -F= '{ print $2 }')
FILETODOWNLOAD=$(grep FILETODOWNLOAD $CONF_FILE | awk -F= '{ print $2 }')
DOWNLOADPATH=$(grep DOWNLOADPATH $CONF_FILE | awk -F= '{ print $2 }')
LOGPATH=$(grep LOGPATH $CONF_FILE | awk -F= '{ print $2 }')
LOGRETENTION=$(grep LOGRETENTION $CONF_FILE | awk -F= '{ print $2 }')

Configuration file:

ADDRESS=192.168.88.20
USERNAME=sheldon
FILETODOWNLOAD=Downloads/*download.txt
DOWNLOADPATH=.
LOGPATH=logs/
LOGRETENTION=-1

The script uses grep and awk to parse the configuration and assign the directives in it to the variables in the script.