Category Archives: Juniper Networks

Researchers suspect NSA as FBI probes Juniper back door vulnerability

Some are suggesting American Secret Service  has created a backdoor in an American vendors products – popularly installed in American government offices for connections to the Internet.

Not only that but the devices themselves affected – are supposed to be security devices – is the state now at threat from this hack?

As CRN states….”Just shy of a week after Juniper revealed vulnerabilities in its firewall operating system, partners said a document saying that the NSA exploited the flaws to gain backdoor access to VPN connections has them concerned. The document, provided by whistleblower Edward Snowden and published Wednesday by The Intercept, indicates that the NSA has cooperated with British counterpart GCHQ to exploit vulnerabilities in Juniper NetScreen firewall devices running the ScreenOS operating system.”

The tech World is astounded!

nsa offices
nsa offices

Further Information here

The equipment in question is coomonly known as Netscreen or ScreenOS firewalls of the SSG ISG range

juniper
juniper

 

Junos Space: What is it? How to setup?

Version 15.1r1

This article is based on version 15.1r1. If the appliance is factory default with an earlier version – its recommended to boot of a USB installed image and install that version before configuration. Further details on P118 of Juniper Networks JA2500 Junos Space Appliance
Hardware Guide.

This Article

This article covers just the base installation and the Network Management Platform section of the GUI – for info on other applications see other blog articles.

About

Junos Space is a central management tool for Juniper devices. Its either a Hardware Appliance or a VM virtual appliance for (ESX/ESXi4+ or KVM). You can join multiple appliances together (called a Fabric) – but Juniper don’t recommend joining physical appliances with Virtual, although supported. for KVM, Juniper recommend qemu-kvm on Centos 6.5+. ThE ESX/ESXi must have a Standard or Enterprise license.

Applications

On top of Junos Space a number of applications can be installed. This release of Junos Space Network Management Platform supports the following Junos Space applications:

• Network Director Release 2.5R1
• Security Director Release 15.1R1
• Service Now releases 14.1R1 to 15.1R1
• Service Insight releases 14.1R1 to 15.1R1
• Connectivity Services Director Release 1.0R1
• Cross Provisioning Platform 15.1R1
• Edge Services Director 1.0R1

Junos Space Log Director–Enables log collection across SRX Series Services Gateways and enables log visualization

Junos Space Network Director–Enables unified management of Juniper Networks EX Series Ethernet Switches, EX Series Ethernet switches with ELS support, QFX Series switches, QFabric, wireless LAN devices, and VMware vCenter devices in your network

Junos Space Security Director –Allows you to secure your network by creating and publishing firewall policies, IPsec VPNs, network address translation (NAT) policies, intrusion prevention system (IPS) policies, and application firewalls.

Junos Space Service Automation–End-to-end solution designed to streamline operations and enable proactive network management for Junos OS devices. The Service Automation solution consists of the following:

  • Junos Space Service Now
  • Junos Space Service Insight
  • Advanced Insight Scripts (AI-Scripts)

Junos Space Virtual Director–Enables the provisioning, bootstrapping, monitoring, and lifecycle management of a variety of Juniper virtual appliances and related virtual security solutions.

For Junos Space Application compatibility see KB27572

Underneath the Hood

Underneath is OpenNMS, which itself requires Java SE SDK & PostgreSQL, Also installed is JBoss (Application server), Apache Web Proxy (Reverse Proxy), MySQL database & OpenSSL version 0.9.8e-33.el5_11.

Hardware Appliances
  • JA1500
  • JA2500
  • NSM3000 (same hardware as JA1500 – override the default OS with a new image via USB)

The JA1500 Junos Space Appliance has been tested with up to six appliances connected in a cluster (fabric) ability to manage up to 15,000 devices without the Network Monitoring functionality enabled.

The JA2500 Junos Space Appliance has been tested with up to eight appliances (four Junos Space nodes and two database (DB) nodes and two fault monitoring and performance monitoring (FMPM) nodes, or six Junos Space nodes and two FMPM nodes)
connected in a cluster (fabric) with the ability to manage up to 25,000 devices.

Both have dual fans and support an optional Second hot swappable power supply. The Juniper Networks JA2500 Junos Space Appliance
Hardware Guide details how to monitor the fans, power supplies and disks.

The JA1500 can not have the Log Collector image installed.

Minimum hardware requirements for VM

• 64-bit quad processor with a clock speed of at least 2.66 GHz
• Four virtual CPU’s
• One RJ-45 10/100/1000 network interface connector
• 32-GB RAM to configure the virtual appliance as a Junos Space node or fault monitoring and performance monitoring (FMPM) node
• 100-GB hard disk with I/O speed of 200 Mbps+, Add another 100-GB disk resources if the Junos Space Virtual Appliance is to be configured as a FMPM node.

Memory

Note: Though 16-GB RAM is sufficient for a Junos Space node, we
recommend that you use 32-GB RAM for better performance. The Junos Space Virtual Appliance file is distributed with 8 GB of RAM

Disks

The JA1500 appliance has three 1-TB hard drives in a RAID 5 configuration. The JA2500 appliance has six 1-TB hard drives in a RAID 10 configuration. The disks are hot-swappable.

Disk I/O Speed

Required is an I/O speed of 200 Mbps+. You can determine the disk I/O speed of a node in the Junos Space fabric by logging in to the node as an admin user and executing the following command:
dd if=/dev/zero of=./test bs=8k count=500000
where test is the name of the file to which the command output is copied.

The following is the command output:
500000+0 records in
500000+0 records out
4096000000 bytes (4.1 GB) copied, 15.944 seconds, 257 MB/s where 257 MB/s indicates the I/O speed of the disk.

We recommend that you delete the test file after determining the I/O speed.

Disk Space

When configuring the virtual appliance as a Junos Space node, expand partitions as follows:
• 40 GB for /var
• 25 GB for /var/log
• 15 GB for /tmp
• 20 GB for /

When configuring the virtual appliance as a specialized or FMPM node, add another 100GB disk resources and expand partitions as follows:
• 120 GB for /var
• 40 GB for /var/log
• 20 GB for /tmp
• 20 GB for /

CLI

The default username is admin and the default password is abc123. There maybe an issue with using the VMware console – see here

• Baud rate: 9600 bits per second
• Data: 8 bits
• Flow control: None
• Parity: None
• Stop bits: 1

Maintenance Mode

The Maintenance mode administrator name is “maintenance” & the password is whatever was specified during the installation.

Web Management

https://vip

The default username is super and the default password is juniper123

Requires Adobe Flash 10.0+ and a display resolution of 1280 x 1024 and a supported browser:

  • Mozilla Firefox 3.6 and later
  • Internet Explorer 8.0, 9.0, 10.0, and 11.0
  • Google Chrome 17 and later

Juniper recommend Mozilla Firefox or Chrome for Upgrades.

The Network Monitoring Topology feature is not supported on
Internet Explorer.

User Accounts

Local, RADIUS or TACACS+ Authentication is supported. Certificate Authentication is also supported. Users can be assigned Roles – there are 25 default and custom roles can be created. Users can also mange “Domains” containing Devices. For M & MX users can also be assigned to Device Partitions.

Space Type

Junos Space types are:

  • Junos Space Node – Full functionality. Every Junos Space Installation requires at least one Space node.
  • FPFM node.  Specialized to fault and performance monitoring only
NTP

Make sure you have access to communicate with NTP at the beginning.

Interfaces

You setup eth0 first and can add other interfaces afterwards if required. The interface has 2 IP addresses on the same subnet: node address (appliance specific) & VIP address (across the fabric). if the appliance talks outbound it communicates from the appliance specific address, however communication inbound is to the Fabric VIP address. So management is to the VIP & devices talk to the VIP.

eth1: can be for node specific access to the device via SSH (optional), it could also be used for the Log Collector VM if installed on same hardware appliance (optional). The jmp_config command configures the eth1 interface. verify with ifconfig eth1 & /var/log/changeEth1.log file.

eth2: not used

eth3: Out of Band Network for managing devices (optional)

Licenses

Junos Space Network Management Platform comes with a 60-day full-featured trial license. All applications accept the Service Automation applications require a license. The Support Automation
applications (Service Now and Service Insight) just require a Support contract and valid credentials to access the Juniper Support System (JSS) back end. The Security Director License is for managing X devices. When you buy security director you get Log Director for free and up to 250-500EPS (enough for 10-30 firewalls). You can purchase more EPS – where the rough rule of thumb – is a firewall creates 10 security events per second on average, an IPS sensor 10 as well. So an SRX running IPS is around 20 EPS. Larger SRX obviously is more logs. Events come in as JMB’S (Juniper Message Bundles) so sessions for logging traffic is more than the EPS – ie an EPS may contain multiple log events.

Ports

Inbound: Devices managed by Junos Space connect to port 7804 on the Junos Space node. Also are SNMP trap destinations (UDP/162). Outbound: PING, SNMP (UDP/161) & SSH to the devices.

Device & Topology Discovery

Device Discovery is provided along with Topology Discovery. Topology Discovery provides how devices are connected – and finds this through OSPF, IS-IS & LLDP – if configured.

Devices Supported

ACX, BX, EX, J, Junos Fusion, LN, M, MCG, MX, PTX, QFX, SRX, T, vMX, vSRX, VRR, WLC & JUNOS 9.3+ where PING, SSHv2 & SNMP configured for access. PING & SNMP not strictly required but you lose some functionality.

DMI schema updates for unknown device versions

Dedicated Device Management Interface (DMI) session is established between Junos Space and each device. For an unknown version of a device being managing you just need to use Space to tell you which schema is missing and to ask it to download from the Juniper Schema Repository using the Internet or can be done manually. The DMI session is constantly up or re-established automatically – and operates over SSHv2 or telnet.

System of Record

When the network itself is the system of record (NSOR), JUNOS Space imports the complete configuration and inventory of the device into its own database. To keep device information current, JUNOS Space listens to system log events raised by the device that indicate device configuration or inventory changes, and JUNOS Space automatically re-synchronizes its database with the latest information from the device. NSOR is the default and allows you make changes directly on the device using the CLI or Jweb – knowing that these changes will be re-synchronized. Be careful however of the Security designer configuration tool for policies as these and the objects wont be re-imported into the Security Designer unless requested.

When the JUNOS Space Network Management Platform is the system of record (SSOR), Junos Space reflects the changes on the device, but a Junos Space user with appropriate user privileges must resolve out-of-band changes.

Device Configuration Changes

You can use:

  • JUNOS Space Network Management Platform – Schema Based configuration editor
  • JUNOS Space Network Management Platform- Device templates
  • JUNOS Space Security Director Application (for Firewall Policies)
  • JUNOS Space Network Director Application (for Switch ports)
  • Device CLI (if in NSOR mode)
  • Device Jweb (if in NSOR mode)
Processes
  • JBoss (Application server)
  • Apache Web Proxy (Reverse Proxy)
  • MySQL
  • OpenNMS
  • PostgresSQL (required for OpenNMS)
Restarting Services

You may need to wait 15/20 mins after reboot or shutdown – for the Space platform to be fully functional – and sometimes up to 30mins.

Upgrades

Done by browsing to a file through the web page – uses either HTTP or SCP for the transfer and takes around 45 min’s to upgrade the platform and further time to upgrade each application.

Backups

You can backup locally or remote. The local backup files
are saved in the /var/cache/jboss/backup directory. When you are initiating a back up, you can choose to back up only the MySQL data or both the MySQL and Network Monitoring data. Restoring from backup is easily done but causes the device to go into Maintenance mode and requires downtime.