Tag Archives: Firewalls

Researchers suspect NSA as FBI probes Juniper back door vulnerability

Some are suggesting American Secret Service  has created a backdoor in an American vendors products – popularly installed in American government offices for connections to the Internet.

Not only that but the devices themselves affected – are supposed to be security devices – is the state now at threat from this hack?

As CRN states….”Just shy of a week after Juniper revealed vulnerabilities in its firewall operating system, partners said a document saying that the NSA exploited the flaws to gain backdoor access to VPN connections has them concerned. The document, provided by whistleblower Edward Snowden and published Wednesday by The Intercept, indicates that the NSA has cooperated with British counterpart GCHQ to exploit vulnerabilities in Juniper NetScreen firewall devices running the ScreenOS operating system.”

The tech World is astounded!

nsa offices
nsa offices

Further Information here

The equipment in question is coomonly known as Netscreen or ScreenOS firewalls of the SSG ISG range



Template Scope of Work: Juniper SRX Consultancy – CESG Certified VPN


Juniper SRX Consultancy – CESG Certified VPN

  1. Day 1 – Installation of 2 x Juniper SRX100 firewalls
  2. Day 2 – Configure Certificate based User VPN to SRX firewalls
  3. Day 3 – Continue configure & testing Certificate based User VPN to SRX firewalls
  4. Day 4 – Documentation based on CESG guidelines
  5. Day 5 – Follow up remediation work required as a result of the NCC or other third-party testing and validation

Caveats, Requirements, Assumptions

  1. SRX100 – Firewalls to be configured with VRRP for failover, but each firewall will be standalone. They will NOT be configured as a cluster with stateful failover (to meet CESG security requirements).
  2. SRX100 – Initial firewall configuration assumed to be  a basic configuration based on estimated 1 day installation
  3. SRX100 – Full admin & user access to firewalls at all times to test
  4. IPSec VPN – Configuration of client to firewall IPSec VPN’s. IPSec tunnel will be authenticated using x.509 certificates (using Windows 7 IPSec client with certs manually deployed).
  5. IPSec VPN must be configured as per CESG security guidelines (http://www.cesg.gov.uk/servicecatalogue/CPA/Pages/CPA-certified-products.aspx)
  6. IPSec VPN fully documented as to where it meets, and does not meet the requirements. This document is a key deliverable and will be submitted to the MoD as part of their compliance submission.
  7. IPSEC VPN using Windows 7 clients with IPSec tunnel (cert based) to the firewalls, IPSEC VPN Users user will authenticate via RSA 2FA using RSA Authentication Manager V8.1 for user authentication
  8. IPSEC VPN – configuration to be done on best endeavours basis – based on any caveats/constraints from Microsoft & Juniper Networks
  9. IPSEC VPN – Microsoft Certificate or other CA server to be in place and configured with User certificate issued.
  10. RSA Solution: Reseller will be installing the RSA solution.
  11. RSA solution: Integration details to be provided
  12. IPSEC VPN – after authentication users will be able to launch a MS Terminal Services desktop session.
  13. Consultant – Power for consultants laptop to be available in data centre
  14. Consultant – Internet Access in data centre
  15. Consultant – serial & network access to firewalls
  16. Consultant – responsible for Juniper SRX configuration only
  17. Documentation – exact documents to be followed to be given to consultant
  18. Documentation – to be produced in simple format covering main technical issues with formatting & other presentation as time allows.
  19. Equipment – Surrounding network already configured to allow routing between firewall, outside network &  MS Terminal Services and MS Certificate servers
  20. Testing – customer to provide laptop to test.
  21. Follow up work will be done as time allows and will be assumed to consist of minor changes to configuration & documentation
  22. Remediation Work – undertaken after third party testing has been performed.

Juniper Firewalls Throughput Matrix

Juniper Firewalls

The following table lists juniper Firewalls in order of throughput & sessions:

Juniper firewalls shown:

  • SSG series
  • ISG series
  • Netscreen 5200/5400
  • SRX series
  • J Series

Generally the JunOS SRX Firewalls are far superior to the old ScreenOS SSG/ISG/Netscreen firewall appliances.

The SRX are based on Screenos – although some fetaures have been implemented slightly differenly – ie NAT, Virtual routers, Screening.

The J Series (also JunOS) are now discontinued.

Juniper Firewalls Throughput Matrix

The Official Juniper Matrix is here

Template: 4 Days Check Point to Juniper Firewalls Migration


4 Days Juniper Firewalls Consultancy

 Scope of work

  • Install 2x Juniper SSG320M in first site
  • Replace existing Check Point firewalls with Juniper appliances
  • Install 1x Juniper SSG320M in second site
  • Configure VPN between sites
  • Configure for Remote Access with NCP client


  • Days 1 & 2– Configure Appliances ready for initial deployment
  • Day 3 – Complete Configuration of  Appliances & deploy to sites
  • Day 4 – Configure for Remote Access with NCP client


Initial Build

  • Full access to SSG320M Firewalls
  • Access to view current Check Point Configuration
    • Network configuration
    • Firewall policies
    • NAT rules
    • VPN setup
  • Build Environment to be available to configure Juniper appliances
  • Juniper Configuration to mimic Check Point configuration
  • Preshared key VPN to be configured between sites

Live deployment

  • Downtime required to deploy Juniper devices
  • Access to both firewalls required when deploying appliances (either remote or local access)
  • Surrounding switches/routers ARP tables may need clearing when deploying Juniper in place of previous Check Point appliances – either by:
    • CLI Access
    • reboot

Remote Access

  • Customer to have purchased NCP Secure Client – Juniper Edition
  • Customer device available to configure & test VPN connection
  • If Certificate based User Authentication required:
    • Certificate Authority to be already configured to issue certificates to Remote access users
    • Certificates to be issued to User Devices

Outside Scope

  • Any Other work outside of scope