Wednesday, September 20, 2017

Creat AWS Diagrams Online

I was looking for some online tools to create impressive AWS diagram for my learning process. Most of online diagram websites provide certain free usages. Here are some websites I found useful to me.

 

1. AWS 3D Diagram from Cloudcraft.co


It is quite impressive when I started to make my first diagram. Limit grid size is a big pain when you try to draw a detail diagram for your AWS VPC, but it is good enough to draw a three tier application deployment. 

Cloudcraft allows registered user to create AWS diagrams for free using all available components with some feature limited. Upgrade to Cloudcraft Pro for import of live AWS data and unlimited size diagrams. It can automatically calculate the cost for your design, and  also provides live connection to your AWS account. The auto-connection feature to connect the components makes it much easier to use than other websites. So far, I think it is best site for me .





My Top Internet / Network Tools

There are lots of useful sites which helps the troubleshooting procedures. I listed some common tools or websites used by myself. Please let me know what you are using and I would like to try them and add them into this list.

1. Internet/Network Tools Portal
Ping – Shows how long it takes for packets to reach host
Traceroute – Traces the route of packets to destination host from our server
DNS lookup – Look up DNS record
WHOIS – Lists contact info for an IP or domain
Port check – Tests if port is opened on specified IP
Reverse lookup – Gets hostname by IP address
Proxy checker – Detects a proxy server
Bandwidth meter – Detects your download speed from our server
Network calculator – Calculates subnet range by network mask
Network mask calculator – Calculates network mask by subnet range
Country by IP – Detects country by IP or hostname
Unit converter – Converts values from one unit to another
DNS checks detailed dns information for a hostname ( www.facebook.com , www.yahoo.com , www.youtube.com )
IP-number checks ip number information such as dns reverse and forwards
route checks a specific routed prefix
AS numbers checks information on an AS-number
AS macros checks who belongs to an AS-macro

Monday, September 11, 2017

Cisco Router IKEv2 IPSec VPN Configuration

What is Differences between IKEv1 and IKE v2?
1. Different negotiation processes
− IKEv1
  • IKEv1 SA negotiation consists of two phases.
  • IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
  • IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
− IKEv2
  • Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

Friday, September 8, 2017

Juniper Space Security Director Policy Hit Counts Not Updated Automatically


Issue Symptons:
  • Normally, each firewall rule on the SRX auto-updates a snmp counter for hit-count, regardless of whether 'count' is configured or not.  Juniper Space Security Director periodically polls these OIDs and updates the hit-count.   
  • In Junper Space 16.1 R1, the issue found is unable to view policy hit counts from Juniper Space Security Director, but SRX itself is keep updating. 

Actions Taken:
  • Verify Security Appliance Policy Hits from Command line
root@fw-mgmt-2> show security policies hit-count 
node1:
--------------------------------------------------------------------------

Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       Vlan2              Vlan1        Baramondi_Monitor 0            
 2       Vlan2              Vlan1        10             4428         
 3       Vlan2              Vlan1        50             0            
 4       Vlan2              Vlan1        40             11136        
 5       Vlan2              Vlan1        default-logdrop 0            
 6       Vlan2              Vlan1        53             2007         
 7       Vlan2              Vlan1        54             0            
 8       Vlan2              Vlan1        55             0            
 9       Vlan2              MGMT              6              538          
 10      Vlan2              MGMT              23             0            
 11      Vlan2              MGMT              74             2            
 12      Vlan2              MGMT              default-logdrop 81           
 13      Office              Vlan1        default-logdrop 0            
 14      Office              Vlan1        60             447          
 15      Office              Vlan1        Office_Archive    0            
 16      Office              Vlan1        58             0            
 17      Office              Vlan1        Baramondi_Monitor-1 0            
 18      Office              MGMT              Office_Archive-1  0            
 19      Office              MGMT              default-logdrop 0            
 20      Vlan1       Vlan2               Baramondi_Rules 0            
 21      Vlan1       Vlan2               VA             0            
 22      Vlan1       Vlan2               A_Office_2_Vlan2    292          
 23      Vlan1       Vlan2               default-logdrop 1696         
 24      Vlan1       Office               VA-1           0            
 25      Vlan1       Office               Baramondi_Rules-1 0            
 26      Vlan1       Office               Device-Zone-1  0            
 27      Vlan1       Office               4              1299         
 28      Vlan1       Office               default-logdrop 0            
   ........


It is clearly there is hit counts on SRX itself, but they are not being pulled/pushed into Space. Log collecter has beenconfigured and it is receiving logs from this SRX.

Wednesday, September 6, 2017

Cisco IOS Command Tips and Tricks - Part 2

Cisco IOS command list is getting longer , and it has been split into two posts:

21. Auto secure

Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:

auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]



22. Change Site-to-Site VPN Idle time out to 5 minutes

For IOS Router


R1(config)#crypto ipsec security-association idle-time 300


For ASA


ASA1(config)#group-policy GP_1.1.1.2 attributes
ASA1(config-group-policy)#vpn-idle-timeout 300

ASA1(config-group-policy)#vpn-session-timeout none