Tuesday, 29 October 2013

Migrate Check Point Security Management Server to New Hardware

When upgrading Check Point Security Management Server aka Smartcenter to a newer version I prefer to perform a fresh install and migrate the existing database to new hardware. Refer to the Check Point upgrade map here for valid upgrade paths. In my scenario I was running R71.20 on SecurePlatform (SPLAT) and was only able to directly upgrade R75, the procedure below describes the steps performed. Perform these steps in a lab environment to fully test and understand the procedure.

Upgrade the migration tools on the old server

Before exporting the database, the upgrade tools on the existing server need to be upgraded to the version being migrated to.
  1. Download the “Management Server Migration Tools” for R75 from the Check Point website.
  2. Extract the contents of “Management Server Migration Tools” .tgz
  3. Use SCP and copy the contents and replace the upgrade_tools directory on the existing R71.20 server /opt/CPSuite-R71.20/fw1/bin/upgrade_tools 
     

Create a management database export file on the existing server

  1. Login to expert mode on the existing server
  2. Type “cd $FWDIR/bin/upgrade_tools
  3. Run the migrate export command

    “./migrate export –l <EXPORTED DATABASE NAME>.tgz”



Once the export has been complete use SCP to copy the export file to a safe location.


Import the database to the new Security Management Server

  1. From a client machine connect copy the backup database file to the new server via SCP. For simplicity I copy the database export to the same location as the upgrade tools ($FWDIR/bin/upgrade_tools)

  1. Login to expert mode on the new server
  2. Type “cd $FWDIR/bin/upgrade_tools
  3. Type “./migrate import BACKUPFILENAME.tgz

  1. When prompted to stop all Check Point services, type “Y” – ENTER
  2. Once the import procedure has completed it will prompt to start Check Point services, type “Y” – ENTER
  3. Disconnect the old server from the network
  4. Connect the new server to the network
  5. Connect to the smartcenter using the correct SmartDashBoard version.
Upgrade/migration complete, you should see all your policies, gateways, objects, networks etc. Open SmartView Tracker and after a short period the gateways will start logging to the new server. If no logs appear, install a policy to the gateways. As we migrated the database to a new server the old server remains untouched and can be reverted to in the event of an issue.

Thursday, 26 September 2013

Private VLAN Concepts

Private VLANs: Extending the abilities of a VLAN

The private VLAN feature provides the ability to extend the capabilities of a “standard” VLAN. It does this by introducing some additional concepts: Primary VLAN, Community VLAN and Isolated VLAN. The Primary VLAN should be considered the Master in the master/slave relationship with the other two sub-types. Switch ports assigned within the primary VLAN are able to see traffic from all devices within the primary VLAN and all sub-types (also referred to as secondary VLANs).

Both Community and Isolated VLANs should be considered slaves in the master/slave relationship with the primary VLAN. Switchports assigned to a Community VLAN can see traffic from all other devices in the same Community VLAN and can send traffic back and forth with devices in the primary VLAN. Switchports assigned to an Isolated VLAN can send traffic back and forth with devices in the primary VLAN, but CANNOT see traffic from other devices in the same Isolated VLAN.

It is important to understand that regardless of the VLAN assignment of the switchport, all of the devices will share the same IP subnet; the private VLAN feature just sets up rules as to which devices are able to speak to each other.

Private VLANs - Figure 1

Why Use a Private VLAN?

The next question really is why would an engineer want to implement the private VLAN feature? This section goes over a few possibilities.

What if an Internet Service Provider (ISP) had a limited number of subnet space and wanted to maximize it by assigning all of the customers in a geographic area into the same IP subnet. Of course, most customers do not want other people seeing their layer 2 switched traffic, as it opens up potential security issues. Individual customers who only have a single port connected into the service provider can be assigned into an isolated private VLAN; their traffic would then only be sent and received by the ISP devices connected directly to the primary VLAN.

What if a company existed in the same geographic area and had multiple offices with multiple Internet connections? It is possible with community VLANs to connect all of these Internet connections together so that each would be able to talk directly to each other as well as go out and utilize the same Internet connection.

These are some very simple examples but they do show that the functionality of private VLANs can be useful to any design engineer looking for a solution to a specific set of design requirements.

(Note: Original Post is posted by Sean Wilkins at his blog http://www.trainsignal.com/blog/private-vlan-concepts)
 

Sunday, 11 August 2013

Concept and Example of Proxy ARP



Introduction
 
This post explains the concept of proxy Address Resolution Protocol (ARP). Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway. Proxy ARP is defined in RFC 1027.
 
 

How Does Proxy ARP Work?

The Host A (172.16.10.100) on Subnet A needs to send packets to Host D (172.16.20.200) on Subnet B. As shown in the diagram, Host A has a /16 subnet mask. What this means is that Host A believes that it is directly connected to all of network 172.16.0.0. When Host A needs to communicate with any devices it believes are directly connected, it sends an ARP request to the destination.
 
Therefore, when Host A needs to send a packet to Host D, Host A believes that Host D is directly connected, so it sends an ARP request to Host D. In order to reach Host D (172.16.20.200), Host A needs the MAC address of Host D. Therefore, Host A broadcasts an ARP request on Subnet A, like as:

Sender's MAC Address
Sender's IP Address
Target MAC Address
Target IP Address
00-00-0c-94-36-aa
172.16.10.100
00-00-00-00-00-00
172.16.20.200

In this ARP request, Host A (172.16.10.100) requests that Host D (172.16.20.200) send its MAC address. The ARP request packet is then encapsulated in an Ethernet frame with the MAC address of Host A as the source address and a broadcast (FFFF.FFFF.FFFF) as the destination address. Since the ARP request is a broadcast, it reaches all the nodes in the Subnet A, which includes the e0 interface of the router, but does not reach Host D. The broadcast does not reach Host D because routers, by default, do not forward broadcasts.

Since the router knows that the target address (172.16.20.200) is on another subnet and can reach Host D, it replies with its own MAC address to Host A.

Sender's MAC Address
Sender's IP Address
Target MAC Address
Target IP Address
00-00-0c-94-36-ab
172.16.20.200
00-00-0c-94-36-aa
172.16.10.100

This is the Proxy ARP reply that the router sends to Host A. The proxy ARP reply packet is encapsulated in an Ethernet frame with MAC address of the router as the source address and the MAC address of Host A as the destination address. The ARP replies are always unicast to the original requester.

Upon receipt of this ARP reply, Host A updates its ARP table, like as:

IP Address
MAC Address
172.16.20.200
00-00-0c-94-36-ab

From now on, Host A forwards all the packets that it wants to reach 172.16.20.200 (Host D) to the MAC address 00-00-0c-94-36-ab (router). Since the router knows how to reach Host D, the router forwards the packet to Host D. The ARP cache on the hosts in Subnet A is populated with the MAC address of the router for all the hosts on Subnet B. Hence, all packets destined to Subnet B are sent to the router. The router forwards those packets to the hosts in Subnet B.

The ARP cache of Host A is shown in this table:
 
IP Address
MAC Address
172.16.20.200
00-00-0c-94-36-ab
172.16.20.100
00-00-0c-94-36-ab
172.16.10.99
00-00-0c-94-36-ab
172.16.10.200
00-00-0c-94-36-bb
Note: Multiple IP addresses are mapped to a single MAC address, the MAC address of this router, which indicates that proxy ARP is in use.

The interface of the router must be configured to accept and respond to proxy ARP. This is enabled by default. The no ip proxy-arp command must be configured on the interface of the router connected to the ISP router. Proxy ARP can be disabled on each interface individually with the interface configuration command no ip proxy-arp, as shown:

Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface ethernet 0
Router(config-if)# no ip proxy-arp
Router(config-if)# ^Z
Router#

In order to enable proxy ARP on an interface, issue the
ip proxy-arp interface configuration command.

Note: When Host B (172.16.10.200/24) on Subnet A tries to send packets to destination Host D (172.16.20.200) on Subnet B, it looks into its IP routing table and routes the packet accordingly. Host B (172.16.10.200/24) does not ARP for Host D IP address 172.16.20.200 because it belongs to a different subnet than what is configured on Host B ethernet interface 172.16.20.200/24.

Advantages of Proxy ARP

1. The main advantage of proxy ARP is that it can be added to a single router on a network and does not disturb the routing tables of the other routers on the network.

2. Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do not have any routing intelligence.

Disadvantages of Proxy ARP

1. Hosts have no idea of the physical details of their network and assume it to be a flat network in which they can reach any destination simply by sending an ARP request. But using ARP for everything has disadvantages. These are some of the disadvantages:
 
• It increases the amount of ARP traffic on your segment.

• Hosts need larger ARP tables in order to handle IP-to-MAC address mappings.

• Security can be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing."

• It does not work for networks that do not use ARP for address resolution.

• It does not generalize to all network topologies. For example, more than one router that connects two physical networks.

Basic Understanding about FTP

FTP is an abbreviation of File Transfer Protocol, it is the main network protocol used for downloading/uploading of files. From one host to another using a TCP based network like INTERNET. FTP works on a principle of client-server model and uses data-connection between client and server. FTP basically runs on port no 21 as default.

How does FTP work?

A Client makes a TCP connection to the server port 21. This connection remains open for the duration of the session and thus it is called a control session. Then another connection is opened on Port 20 and it is called the data connection. The control connection is used for authenticating, command and administrating exchanged between the client and the server.

Types of FTP

There are two types of FTP.

Passive FTP: - In passive mode, the client establishes both channels (Data and control). In that case, the server tells the client which port should be used for the data channel.

Active FTP: - In active mode, the client establishes the control channel but the server establishes the data channel.

Wednesday, 24 April 2013

How to Configure ACL on JUNOS Switches

Below are the configuration commands for implementing ACL (Firewall Filters) on JUNOS Switches. Kindly always keep one thing remember in your mind in Juniper Switches we represent ACL with the name of Firewall Filters

Here we are going to take the example of most commonly useable scenarios. Let's you would like to restrict the Telnet, SSH, HTTP, HTTPS or SNMP access on JUNOS base switches. 


We have one JUNOS switch, currently we can  access this switch from our whole internet network via Telnet, SSH, HTTP/HTTPS and SNMP but now we would like to limit this access to only 1 - 2 subnets. In our case we would like to allow the Telnet, SSH, HTTP/HTTPS and SNMP from subnets 192.168.1.0/24 and 192.168.2.0/24.

There are two steps for implementing the Firewall filters;

1. You have to define the filtering terms/rule.
2. You have to apply the filtering terms/rule to a router interface/VLAN.

Step 1

[edit firewall] set filter acl_name term switch_management_allow from source-address 192.168.1.0/24set filter acl_name term switch_management_allow from source-address 192.168.2.0/24set filter acl_name term switch_management_allow from protocol tcpset filter acl_name term switch_management_allow from destination-port [telnet ssh http https]set filter acl_name term switch_management_allow from protocol udpset filter acl_name term switch_management_allow from destination-port [snmp]set filter acl_name term switch_management_allow then acceptset filter acl_name term switch_management_block from protocol tcpset filter acl_name term switch_management_block from destination-port [telnet ssh http https]set filter acl_name term switch_management_block from protocol udpset filter acl_name term switch_management_block from destination-port [snmp]set filter acl_name term switch_management_block then logset filter acl_name term switch_management_block then rejectset filter acl_name term switch_management_block then accept   [edit vlans] set vlan_name vlan-id 100 filter input acl_name