Juniper Data Center Cohesion Wrap Up

Finally getting caught up with work since my time in Cali and although this post is a little late, I wanted to take a moment to capture my thoughts on Juniper Network’s Data Center Cohesion event which took place in Sunnyvale at Juniper’s Aspiration Dome last week. I had an awesome time and the sessions were full of a ton of useful information geared towards all things Data Center. Apparently this was the first time that Juniper opened the conference to outside partners — roughly 16 partners showed up, so to say that I was honored to be there is quite an understatement.

Continue reading “Juniper Data Center Cohesion Wrap Up”

Network Modernization Webinar Now Available Online

On February 8th I gave a webinar on network modernization initiatives with Doug Nash, the Deputy Chief Information Officer, Operations & Infrastructure at the USDA.

I thoroughly enjoyed the opportunity to speak with Doug and discuss some of the new directions that various Federal agencies are undertaking to create more modernized and agile networks.

Continue reading “Network Modernization Webinar Now Available Online”

An Inside Look at Juniper Networks’ Forthcoming JNCIE-DC Exam

Data Centers and the Cloud are all the rage right now, and Juniper has been at the forefront of the Data Center revolution from the very beginning – early on with their introduction of the QFX and the much maligned QFabric, and more recently with the addition of Virtual Chassis Fabric (VCF), various open architectures for creating IP Clos Fabrics, and even advanced features such as Junos Fusion for the Data Center which collapse and simplify the deployment and management of a large number of Ethernet switches.

The JNCIP-DC is currently rated as the fifth hottest Data Center certification by Tom’s IT Pro, an online resource tracking the demand of various industry certifications.

The folks at the Juniper Networks Technical Certification Program (JNTCP) have not been far behind, creating a Data Center track and releasing a new certification, the Juniper Networks Certified Professional Data Center (JNCIP-DC). I’ve been following the developments within the Data Center track for a while now, and you could imagine my delight when I saw the following a few months back on Juniper’s Certification portal:

Continue reading “An Inside Look at Juniper Networks’ Forthcoming JNCIE-DC Exam”

Juniper Ambassador

ambassadorI am delighted to announce that earlier this week I was accepted into Juniper’s Ambassador program. To say that I am completely honored is an understatement. Working with Juniper’s products and technologies has been a labor of love for me dating back almost 18 years, since my first introduction to Junos back in early 1999 — as such, I am thrilled to join the ranks of my esteemed peers, whom I sincerely consider to be the best in the industry. A special thanks goes out to Andy Green, Director of Education Services Americas at Juniper Networks for nominating me and to the rest of the Juniper Ambassadors who apparently endorsed that nomination with a resounding yes.  I look forward to seeing and collaborating with all of you on the J-Net Forums!

Continue reading “Juniper Ambassador”

Juniper Networks Announces New Network Design Training Curriculum and Certification Program

Juniper took a big step forward in rounding out their certification programs by announcing a new Design Training and Certification curriculum, focusing on best practices and techniques that can be used across the spectrum of network architecture and design. Slated to be included in this program are also technologies around software-defined networking (SDN) and network functions virtualization (NFV).

Continue reading “Juniper Networks Announces New Network Design Training Curriculum and Certification Program”

Preparation Tips for the JNCIE-SEC Exam

Not a day that goes by since having passed the JNCIE-SEC exam that I don’t receive an inquiry in one form or another regarding how I prepared for the exam.  It seems that there is an incredible amount of interest in this exam, especially from all those die-hard ScreenOS folks that are now converting to Junos.  So instead of constantly repeating myself, I figured I’d just put it up on the blog so others can benefit (leaving me more time to do other things, ‘heh).

Continue reading “Preparation Tips for the JNCIE-SEC Exam”

Juniper SRX Tips :: Altering Default-Deny Behavior

In our previous article, we looked at using apply-groups to alter all the security policies uniformly on an SRX device such that they would all have an implicit logging statement. And while this is fine for all existing policies, it doesn’t log traffic which doesn’t match any explicitly defined security policy.

The reason for this is due to the fact that in Junos, traffic which doesn’t match an explicitly defined security policy matches against the default-deny policy.  However, given the fact that the default-deny policy is implicitly defined, apply-group configurations are of little benefit as apply-groups can only be inherited by those elements which have been explicitly defined.

Often in these cases, administrators will simply choose to create their own deny policies with the desired options and place this deny policy as the last policy for traffic going from one zone to another. However, in instances where there are many zones, it might prove too cumbersome and time consuming to manually configure this to accommodate all zones.

Clearly it would be more beneficial to have something akin to the Global Zone in ScreenOS which can be used to match on all traffic which doesn’t match against any of the explicitly defined security policies.  However, at the time of this writing, Global Zone functionality doesn’t exist in Junos.

The good news is that we can use the power of apply-groups once again to our benefit, this time to create an explicitly defined deny policy which will be inherited at the tail-end of all security policies defined within our configuration. Note that this will encompass both Inter-zone as well as Intra-zone traffic.

For this example, let’s assume that we want to log everything that would normally hit the default-deny policy. Let’s start by taking a look at our baseline configuration:

Here you can see we have a policy allowing all traffic outbound from the Users-subnet in the Trust zone towards the Untrust zone, and another policy allowing inbound HTTP traffic from the Untrust zone towards the Web Server in the Trust zone.  Now, in order to change the default-deny behavior and add additional options, we will use an apply-group to inherit a new policy at the tail-end of all previously defined policies, as follows:

Finally, let’s apply our apply-group at the [security policies] stanza within our configuration:

Now that we’ve completed the configuration, let’s examine the results of the application of our apply-group by taking a look at our security policies, this time by displaying the inherited configuration:

Once again, with just a couple of lines of code we can streamline the configuration to a large extent, in this case creating an explicitly defined deny policy which logs all traffic that would otherwise be silently discarded.  And best of all, we can do so without having to resort to manual configuration of each and every one.

In small installations this technique might be of little benefit, but in larger implementations consisting of dozens of zones with a combination of Interzone and Intrazone and bidirectional security policies, the benefit of such an approach cannot be understated.  Not only will this ease configuration burden, but it will ensure that all traffic which doesn’t match any of the existing security policies will be handled in a consistent manner.  Of course, as with previous examples, if there are certain policies that we don’t want to inherit this new default-deny, we can simply utilize the apply-group-except statement for each of those respective policies.

In our next article we will examine changing the built-in Junos application defaults so that we can customize timers and other parameters.