IPv4 Address Exhaustion Causing Harmful Effects on the Earth

Today, I received a very disturbing email on NANOG which was forwarded from a recipient on the Global Environment Watch (GEW) mailing list.  If this is true, we all need to take steps to make an orderly and smooth transition to IPv6 as quickly as possible, lest we suffer from the harmful effects described in this email.



Preparation Tips for the JNCIE-ER Exam

As many of you know, Juniper is currently undergoing a massive effort to update their certification program.  The previous track in ‘Enterprise Routing’ is now changing to ‘Enterprise Routing and Switching’ incorporating elements from the previous certification track in addition to some new elements essential to Enterprise switching such as Spanning-Tree, VLANs, Layer 2 Security, as well as High Availability features like Virtual Chassis.  We can expect that a lot of the topics like Firewalling and NAT will be removed from this exam as these topics will more properly appear in the Security track.

Although the new JNCIE-ENT certification is planned to be released in August 2011, there are many of you who are currently pursuing the existing JNCIE-ER before time runs out.  The good news is that Juniper plans to continue offering the existing JNCIE-ER exam until October 2011 so there is still quite a bit of time for those who are interested in attaining this certification.

There probably isn’t a single day that goes by that I don’t receive an email inquiry from someone currently pursuing the JNCIE-ER with a request to learn from my experiences and test preparation techniques.  And although this exam will only be available for another 7 months, I thought I’d write about my preparations and experiences with this exam so those candidates might benefit – not to mention it prevents me from having to keep repeating myself over and over again…

Building the Lab

For this particular exam, you are really going to need to get your hands on several J-Series routers, or at the very least some M/T/MX-Series routers with Adaptive Services capabilities (NOTE: This might require additional hardware on non J-Series devices, such as an Adaptive Services PIC or a Multi-Services PIC).  While it’s possible to do a lot of the routing preparation with Olives, a good majority of the exam is on services such as Firewalling, NAT, and IPsec.  Without the right hardware, a candidate cannot properly prepare for these sections as performing these functions in an Olive is impossible.  Olives have no hardware PFE or the appropriate Services PICs or Modules, therefore there is no SP interface which is required to create interface-style and next-hop style service-sets.

If you happen to have a bunch of SSG 300-Series or SSG 500-Series ending in an M in your environment, you may be in luck.  These devices can be successfully converted to an equivalent J-Series box running Junos.  For example, an SSG 320M can be converted to a J2320, and an SSG 350M can be converted to a J2350.

The easiest way to do this is to boot the SSG platform from the USB flash drive which has been formatted with the Junos image.  An easy way to build a loadable Junos image onto a USB flash drive is to insert the USB flash drive into a working J-Series device and then perform the following function:

This will copy all the appropriate system files and Junos image onto the flash drive and prepare it for booting on another device.

Once this has been done and the USB flash drive inserted into the SSG, the following commands can be issued to force the SSG to boot into Junos rather than ScreenOS:

NOTE: The SSG 300M-series or SSG 500M-series device must be running ScreenOS version 6.1 or later in order for you to perform the conversion.  If your device is running an earlier ScreenOS version, you must first upgrade it to ScreenOS 6.1 or later.

A more thorough explanation of the upgrade process can be found here: Converting SSG 300M-series and SSG 500M-series Security Devices to J-series Services Routers with a USB Storage Device.

Exam Preparation Materials

In terms of exam study materials, here is what I used for the exam:

  • ‘JUNOS Enterprise Routing’ by Harry Reynolds and Doug Marschke. Read it twice if you can
  • ‘Advanced Juniper Networks Routing in the Enterprise’ courseware and labs which used to be available for free on the Juniper FastTrack site.  These are no longer available publicly, but can likely be found with a little digging.  I definitely recommend going through the labs because they are extremely representative of the types of things that you are likely to see on the exam.
  • ‘Adaptive Services’ chapter in the JUNOS ‘Services Interfaces Configuration Guide’ – its 500 pages but will definitely educate candidates on all the variants of Junos Services.
  • The ‘JNCIP-M Study Guide’ by Harry Reynolds is another really useful addition.  The labs in this book will really help with routing policy and configuration of OSPF, RIP, and BGP.
  • Probably the *single* most useful preparation tip I can give to anyone is to take the JNCIE-ER Bootcamp and/or the Remote Proctored lab exams offered by Proteus Networks.  I haven’t personally taken the bootcamp, but I did see the materials from a colleague who sat through it and after sitting the exam I can tell you their Bootcamp is spot on.  On another note, I did take their remote proctored lab exams and once again I am not disappointed with my experience with them.  Rick Schenderlein was my proctor with Proteus and he really took the time to help me understand the areas that I could use improvement on.

As with all Expert level lab exams, a very important tip is to make sure you read the full exam in its entirety before starting a single configuration element.  This is truly an expert level exam – one which requires you to think through your design decisions.  There are often things later on in the exam which require you to go back and reconfigure something you’ve already set up in an previous section.  Reading ahead will allow you to save yourself some time when you’ve thought your design through fully in advance.

All in all, I didn’t think the exam was that tough, but I also had 12+ years of experience working with Junos and a JNCIE-M certification prior to sitting the exam.  If you’ve already got the JNCIE-M, I think it’s actually possible to prepare and pass this exam in just a few short months since there is considerable overlap between these two exams.  In my case, I actually finished the exam in a little over 5 hours and spent another 1-2 hours going over everything just to make sure I had it right. I’ve heard that most people going in are pretty much down to the wire with time so I’m not sure what happened in my case but simply attribute it to being over-prepared and having spent about a full year of non-stop preparations between the JNCIP-M, JNCIE-M, and the JNCIE-ER exams.  The trick here, as with preparation for anything, is to be consistent and develop a schedule which you can live with – a few hours a day over a span of several months will serve you infinitely better than studying hundreds of hours the few weeks before your exam.  Slow and steady wins the race here… you’ll be surprised at how quick a few months can go by when you’re motivated and committed to something!

I hope this helps those of you who are pursuing JNCIE-ER certifications, and I wish you the best of luck in your endeavors!

ShortestPathFirst Security Articles Now Featured on Infosec Island

I am very pleased to announce that several of my security articles have been published on Infosec Island.  Infosec Island is  an online community focused on the Infosec professional which incorporates elements of community discussion and writings from various security practitioners throughout the industry.  It is truly an honor to have been invited to participate and contribute in this forum alongside many well respected writers and colleagues.

The following articles are now available:

The Misconceptions of Sidejacking with Firesheep

Reality Check: Traditional Perimeter Security is Dead

Man in the Middle (MITM) Attacks Explained 

Several more articles are in the works and in addition I am working on a very special analysis of the XerXes attack tool used in the attacks against Wikileaks which will be released sometime next week.

New Cyberspace Bill Proposed to Combat DDoS and Other Attacks

Responding to the firestorm of attacks being launched against Visa, Mastercard, Paypal, and other major institutions, various members of the US Government continue to press for dramatic legislation that would put the pulse of dealing with Cyberspace policy squarely within the White House.

All of this started with the infamous “Cablegate” incident on November 28th, 2010 when Wikileaks began releasing a large number of private communiqués belonging to members of the US State Department.

A hacktivist known as the Jester launched an application layer attack successfully targeting Wikileaks and bringing it down indefinitely. In addition, Amazon, Visa, Mastercard and several other organizations began to sever relationships with Wikileaks leaving them little options for successfully continuing operations. Retaliation ensued and a group known as Anonymous Operations likewise launched their own DDoS attacks against these companies in retribution for supporting the censorship of Wikileaks.

In response to this recent spate of cyber attacks, Senator Tom Carper from Delaware released a press release calling for more protections to people and companies operating on the Internet. Carper, a key author of the legislation, along with Senators Joe Lieberman of Connecticut and Susan Collins of Maine, is calling for the government and the private sector to begin working together more closely to address the growing threats faced by all organizations conducting business online.

PRESS RELEASE:

WASHINGTON – Today, Sen. Tom Carper (D-Del.) released the following statement in response to the retaliatory cyber attacks on the websites of select companies and organizations recently involved with Wikileaks, including MasterCard and Visa:

“Today’s events, once again, underscore the necessity for more robust cybersecurity efforts in the United States. Time and time again, hackers have demonstrated their ruthless yet effective techniques to attack critical cyber networks, and today they used those sophisticated techniques to bring down two financial giants in MasterCard and Visa. Whether it’s cyber crime or cyber terrorism, clearly the United States needs effective leadership from the federal government to successfully combat these kinds of attacks and mitigate the damage. Legislation I’ve authored along with Senators Joe Lieberman (ID-Conn.) and Susan Collins (R-Maine), Protecting Cyberspace as a National Asset Act of 2010, does just that. This bipartisan bill is a vital tool that America needs to better protect cyber space. It encourages the government and the private sector to work together to address this growing threat and provides the tools and resources for America to be successful in this critical effort.”

The Protecting Cyberspace as a National Asset Act of 2010 would create an Office of Cyber Policy in the White House with a director accountable to the public who would lead all federal cyberspace efforts and devise national cyberspace strategy. A National Center for Cybersecurity and Communications within the Department of Homeland Security, also led by a director accountable to the public, would enforce cybersecurity policies throughout the government and the private sector. The bill would also establish a public/private partnership to set national cyber security priorities and improve national cyber security defenses.

Sources:WGMD, InfoSecIsland

Man in the Middle (MITM) Attacks Explained: ARP Poisoining

It’s been over 3 weeks since Firesheep was released, and yet still there seem to be so many misconceptions about this particular vulnerability.  The most prevalent of these misconceptions is that HTTP Session Hijacking, also known as “sidejacking” is something which is limited to only wireless networks.  And this belief is not limited to just session hijacking attacks.  Somewhere along the way a myth was propagated that wired switched networks are somehow impervious to attacks like these and other similar types of attacks because of the use of collision domains and the inability of an attacker to have unfettered access to the Layer 2 medium.  As I mentioned in my previous article on the Misconceptions About Sidejacking with Firesheep, attacks like these and others are not relegated to strictly wireless networks, and in fact there are many so-called Man-in-the-Middle (MITM) attacks which can be performed on a switched wired network to compromise the imaginary security of a Layer 2 collision domain.

Continue reading “Man in the Middle (MITM) Attacks Explained: ARP Poisoining”

Bluehost IPv6 Epic Fail

Recently, I had a conversation with my hosting provider to determine if they had IPv6 support.  I’m interested in getting my web site set up and reachable via IPv6.  Below is a copy of the conversation I had with their customer support, and clearly indicates we’ve got a long way before IPv6 is ready for the masses:

stupid
Bluehost Support: Hi, how can I help you?
Stefan: Hi, I am a hosting customer and I was wondering if you currently have support for IPv6?
Bluehost Support: Let me look into that for you.
Bluehost Support: Yes, we do support IPv6.
Stefan: Great! Is there a cost associated with that and how do I go about setting that up?
Bluehost Support: I am sorry, we cannot give you IPv6 until our IP5 runs out.
Stefan: Wait, you just told me you have support for IPv6.  What the heck is IP5?
Bluehost Support: IP5 is the version before IP6.  We can’t give you an IP6 until our IP5 runs out. I am sorry for the misunderstanding.

The Misconceptions of Sidejacking with Firesheep

Unless you’ve been hiding under a rock for the past few days, you are probably well aware of the recent activity around a new Firefox extension developed by a pair of researchers that brings the issue of session hijacking front and center.  The duo behind this extension, Eric Butler and Ian “craSH” Gallagher, developed the software in order to demonstrate the vulnerabilities inherent in many web sites that don’t fully implement encryption.  The browser extension, dubbed “Firesheep“, essentially enables an attacker to grab other people’s credentials and use them to gain access to various web sites.

Continue reading “The Misconceptions of Sidejacking with Firesheep”