SRX VIRTUALISATION: Basics

Virtualisation.

That got your attention didn't it! It's the big topic these days and in the SRX we can apply in several ways.


In the Juniper world we have VSYS on ScreenOS and LSYS for high end SRXs both of which allow the creation of logical firewalls with different administrative rights within a single box.


There is also Firefly Perimter to consider (Eval for 60 day)
http://www.juniper.net/us/en/products-services/security/firefly-perimeter/#evaluation

Even though we can't use LSYS on a branch SRX device we can still set up logical routers called Routing Instances on them and then apply specific zones/interfaces to those Routing Instances thereby gaining some degree or virtualisation in the branch SRX.

Lets look at a simple example of how to apply this..


SRX IDP: Templates Update

Did you notice that Juniper has updated their IDP policy templates?

First lets review the list of old of pre-defined templates..

blogger@SRX> show security idp policy-templates-list
Web_Server
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended


Lets check the version of that template..

blogger@SRX> show security idp security-package-version
  Attack database version:2395(Wed Jul  2 18:14:04 2014 UTC)
  Detector version :12.6.160140626
  Policy template version :2192

 
Lets check and see whats available..

blogger@SRX> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2395(Detector=12.6.160140626, Templates=2395)

 
So you see, even if you are automatically updating the attack database that doesn't update the policy templates.

SRX NAT: Destination

Today we will have a look at some Destination NAT (DNAT) on the SRX with port translation.

We have the following network scenario..



In the this scenario we need to do DNAT using the actual external interface IP (192.168.200.200).

So the flows will go like this.
.

PRENAT                                         POSTNAT
192.168.200.10 --> 192.168.200.200:8088        192.168.200.10 --> 10.31.254.17:80
192.168.200.10 --> 192.168.200.200:2088        192.168.200.10 --> 10.31.254.17:22


CX111

I recently had the opportunity to test out a CX111.
Its a device that acts as a L2 bridge between a 3G/4G USB modem connected to one of 3 available USB ports on it and a single Ethernet port.

http://www.juniper.net/au/en/products-services/routing/srx-series/cx111/

Specifically I tested it with a Telstra 4G Sierra Wireless AirCard 320U.
And the results were great!

SRX VPN: Multipoint

Happy New Year to all readers!

Today we are going to make a multipoint VPN.
One hub site (VPN-CORE) and 2 spokes sites (LEFTY and RIGHTY2). All devices are SRXs.


Multipoint is only supported with Route based VPNs so that's what we will be using and the key point to note is that the multipoint hub only uses a single tunnel interface regardless of the number of VPN tunnels.


In real life you probably wouldn't bother with multipoint for just 2 spokes but this is a lab so lets do it!

Here is the network we are working on..

We will want to get traffic between the 2 trust zones and the server-zone running over the VPN.