JunOS: Why Juniper networks and JunOS should be a skill in your networking arsenal

 

Why JunOS should be a skill in your networking arsenal

I have been working in the IT networking field for the last ten years and I'm sure it is no surprise for me to say that a lot of that time was spent working on Cisco systems.  IOS is practicaly engrained into my DNA. Nothing makes me happier than getting to set up new networks or troubleshooting with Cisco equipment and their operating systems.  Whether it's IOS, NXOS, IOS-XR ASA, or even CatOS, I feel completely at home working with their software and command structure.  I'm one of those CLI elitists that refuses to use GUIs to get the job done.

I have, from time to time, stepped out of my comfort zone and wandered into the different worlds of other vendors' platforms and have never felt comfortable with the results, until now.  I have worked on various platforms, such as 3com, HP (now one and the same), Alcatel, netgear, and several others.  I can honestly say that JunOS is the first OS since Cisco's that I feel comfortable and confident in what I'm dealing with.

I know you may think that I've drank the Juniper kool-aid and jumped ship, but it's quite the opposite.  I think that Juniper's platform definitely has it's place in the world, but I think that it can also work quite well in a mixed environment.  I started working on a network that has Juniper for specific layers in their network, and Cisco for the rest.  

Before I started working on it, the company sent me to Juniper training.  Before I started the training I took a look at Juniper's sight and found a free training module that was titled "JunOS as a second language." It was created for the sole purpose of helping Cisco aficionados, such as myslef, get comfortable with JunOS and helped you shape your mind by showing the similarities and differences between IOS and JunOS.  I was immediately amazed with what JunOS could do and jumped right into my training.

There are several benefits of using the Juniper platform, as well as some caveats:

Commit and quit, instead mistake and bake - Juniper does not have config changes take effect on the fly.  Instead they have you commit the config first, and there are several tools you can use to check the config before commiting.  "commit | compare" lets you see exactly what changes you are about to make when you commit.  They keep your previous configs that you can "rolllback" to, in case you need to back step.  You can even set a timer for the commit, so if you get knocked out when commiting, it will rollback once it doesn't see you put in a second commit in the specified time.

Logs, logs, logs - Log files are broken out into various forms to make it easier to search for the specific message you want to look at.  There's the standard syslog, which is called messages, but you also have logs for things like command history and a host of others.  It can be really handy when it comes to troubleshooting.

Now for the double, edged sword.  Their command structure is set up in a hierarchical form, meaning that you drill down through logical steps instead of random commands spread out throughout the config.  The one issue I have with it is that it makes the config file rather long and hard to sort through.  There are ways around it, but it would be nice to have that "sh run" page that I'm so use to.

There are many other pros and cons to JunOS and I could go on and on about the benefits of using Juniper, even in a mixed environment, but my posts are short on purpose.  I'm not here to teach you everything you need to know and don't put in "cut and paste" commands for you to use.  I keep it short so you get a basic idea of what I'm talking about and have a jumping off point to explore the wonderful of networking.

If anything I said peaked your interest, I strongly suggest that you go check out their site.  They have tons of great articles and free training modules to get you started.  I believe that Juniper is going to grow quicker than you might think and it would be a good idea to have an understanding of how they work.  You might even enjoy it! :)

Happy networking!

Why hack anything?

Over the years, I have enjoyed modifying many things to suit my needs.  The term "hacking" typically means exactly that, to modify anything from it's original purpose in order to serve a new one.  People tend to confuse hacking to mean other things.

Of course, there is the movie style hacker, banging away at his keyboard and mystically gaining access to top secret government sites in 3 seconds flat.  While I can't say that it's impossible, the simple thought of what the hacker is doing is asinine.  Firstly I would imagine that gaining access to high security data would take at least 4 seconds.  Secondly, why the hell is he typing so much?  There are many other times the term is used in vain, but that is not the point of this post.

The point is that hacking into something, tearing it apart and rebuilding it in a different way, can be a lot of fun.  But what is the point?  Why put so much effort into making a toaster that puts Darth Vader imprints on your toast?  Why mess with anything to change what it's suppose to do?

The basic answer is simple.... because we can!  Some of us just want to see if we can do it.  We were the kids that took the watch or the toaster apart.... and never put them back together.  The inner workings of everything around us never ceases to amaze us.

There are logical reasons for hacking things too.  One reason is because we can add new features to something.  People modify smart phone firmware in order to gain access to things that the manufacturer didn't want us to get to.  We can create new interfaces that far surpass what is currently available to us.  Smart phone manufacturers even seem to take notice and "magically" incorporate new features in the next model that were only previously available in older modified models.

We can also breath new life into an old machine and give it a new purpose.  What was once an old laptop is now a multimedia server or a full featured firewall.  An old payphone that serves no current purpose has been radically transformed into a fun retro interface to your Skype account.  It beats adding more stuff to the landfill, right?

The great thing about the digital age is that anyone can perform these modifications, thanks to the vast communities of enthusiasts that provide walk-throughs, tips & tricks and even pre-made kits, in order to give everyone the opportunity to build what they built.

Today, hacking is starting to lose the villainous luster that it did in decades past.  People are starting to understand the true underlying meaning of hacking and have become constructive and non-evil hackers themselves.  If you have never truly modified anything you should really try it.  It is fun, educational, exciting and gives you that great feeling of accomplishment once you're finished... after many hours of pure frustration and anger while you are trying to figure it out.  In the end, even if you do fail, you won't be any worse off than when you started and you will probably better off in some way if you succeed.

The key to training

We have all gone through training in our personal and professional lives, whether it be corporate mandated safety training to help with their CYA initiative, Lamaze classes for the new parents-to-be, or specific training that is tailored to help you hone your required skills for you career.  The days of college degrees being enough to get you a high paying job, and a high school diploma being enough to get you an entry level job are over.  With the growing rate of people earning associates degrees or higher, the job industry has decided to rely on another institute of knowledge to help them evaluate a potential employees worth.... certifications.  Coming from the technical filed, I can tell you that the jobs I have obtained relied more heavily on my certifications, rather than my education.  I am of course excluding experience, since it is a catch 22 situation where people want you to have it, but you can not achieve it without a job to get the experience.  I will touch on that sensitive topic in another post, since it requires a lot of explanation on how to obtain it.

Since I have started building my path to my career over 15 years ago, I can tell you that training has become a pivotal  point that has had a dramatic influence on my decisions to help get me where I am today.  I have gone to dozens of training classes, covering a wide variety of skills and knowledge.  From doing so, I can tell you that there is such a thing as wasting time on training.  With the advent of putting emphasis on training over education, it can be quite easy to believe that all training is good, but I am here to tell you that it is not the case.  While most training offered to you can be beneficial, whether it be in the short-term or long-term goals of your career, what I am saying is that you need to prioritize your training, in order to streamline your educational and career path.

I will give you an example.  When I was a LMW (last mile wireless) technician, I volunteered a lot of my time to Cisco network training.  I was thoroughly interested in networking and wanted to learn more about it.  The training helped me understand more about what was affected by my job, but it did not necessarily help me do my job.  I knew, though, that they were closely related.  When the LMW team was defunct, the organization I was working for decided to put me into the networking team, since I had so much training in Cisco networking.  This ended up being a huge advantage for me.  It allowed someone who, at the time only had an associates degree, to be involved with a team that would have asked for more education in order to work with.  My training is what saved me from a possible life of monotony, dealing with a job that consisted of far more basic and non-intelligent tasks.

To play the Devil's advocate, I must also say that  there has been plenty of training opportunities that I have agreed to, that ended up being a waste of time.  While I was in the middle of my "fire sale" of training opportunities, I participated in a lot of training classes that ended up not helping my career, nor did it help me in any other beneficial way.  For example, I once participated in Cisco MARS training.  While the Cisco MARS box is great, I had no reason to train on technology that I would never actually interact with.  When I eventually became part of the network security team with that organization, the Cisco MARS technology had already been become obsolete and had been replaced with a different technology, which I had no training in. At that point, I realized that there was such a thing as "wasted training".

Since then, I have learned that I needed to streamline my training opportunities, in order to maximize my time with sensible, applicable training.  Although I have been given a multitude of training opportunities with the organizations that I've worked with, I have learned that not all training is valuable.

In conclusion, I would advise my readers to not only take training and certifications very seriously, but to also evaluate the opportunities given to them and decide which ones they should be taking, in order to better assist them with their career in the long and short term scheme of things, while avoiding ones that are simply "wasted training."

Policy NAT

In the previous post I gave a brief description of NAT and PAT, which are basically ways of mapping different IP's, both public and private, in a multitude of ways.  Think of it as being somewhat similar to DNS, but on a different level.  Where I work, we have more recently began using what is known as policy NAT, which has proven to be beneficial for several different reasons.

Policy NAT is a method by which you can control when and how you will NAT your subnets.  The basic concept is that you specify certain conditions that tell your router/firewall when and how to translate specific IP address and/or subnets.

For example, if user A wants to access their corporate email account, which is hosted internally, you can tell the NATing device to let them use their private IP address, since a public one is not necessary.  At the same time, user B wants to access www.google.com.  This time we will tell the NATing device to translate their private IP to a randomly chosen public IP in the specified address pool.  When user B closes their connection to www.google.com, the NATing device will remove that entry from the NATing table, and return the public IP address to the pool.

What this does for us is let us see the individual users when they are accessing internal resources.  This can help us identify problems with individual PC's, instead of having to go inside of the network to troubleshoot.  This also gives us some anonymity for the user when they go to the internet, since the public IP is only used temporarily and helps to prevent devices on the internet from being able to connect to a user's PC from the outside.

From there, we can continue to get even more granular, based on the rules you set on the NATing device that tell it when and how to NAT, or even PAT.  You can say that a certain host, or hosts, be mapped to a specific IP, while the rest are dynamic, i.e. use a temporary, random public IP from the address pool.  You can also say that some people can not use public addresses, or even specify that some hosts use a specific PAT address.

Here is an example config from a Cisco ASA firewall running 8.4(3) code:


object-group network INSIDE-NETWORK
 network-object 192.168.0.0 255.255.255.0
!
object-group network LOCAL-NETWORKS
 network-object 192.168.0.0 255.255.0.0
 network-object 10.0.0.0 255.0.0.0
!
object-group network NAT-REQUIRED-NETWORKS
 network-object host 10.10.10.1
 network-object host 10.10.10.2
!
object network NAT-POOL
 range 1.1.1.3 1.1.1.243
!
nat (inside,outside) source static INSIDE-NETWORK NAT-POOL destination static NAT-REQUIRED-NETWORKS NAT-REQUIRED-NETWORKS
nat (inside,outside) source static INSIDE-NETWORK INSIDE-NETWORK destination static LOCAL-NETWORKS LOCAL-NETWORKS
nat (inside,outside) source dynamic INSIDE-NETWORK NAT-POOL

This may look complicated (which at first it is, especially if no examples are available on the internet!), but if you break it down it's quite simple.

First, keep in mind that the (inside,outside) part is simply saying that these rules apply to someone coming from the inside interface, go to a destination outside of the firewall through the outside interface.

The object groups should be straight forward.  The inside network are the private network inside of the firewall.  The local networks are the corporate intranet networks, the NAT required networks are devices that can't or won't accept connections from a private IP address, and the NAT pool is the range of public IP address that the firewall can use for translating.

So, in this setup, if someone on the inside wants to go to a host within the corporate network, they'll keep their private address.  If they want to go to 10.10.10.1 or 10.10.10.2, they will use a random public IP address.  If they want to go anywhere else, i.e. something on the internet, they will use a
random public IP address.

So there's the gist of it.  Once you can familiarize yourself with this method of address mapping, it ends up providing you with so many benefits, as compared to traditional PATing.  I hope someone finds this helpful.  I had to learn this myself, since this specific type of NATing hadn't been done much when I first started, and there were no examples of how to do it, like the example I have provided above.

Good luck, and have fun!

(Image courtesy of den4b.com)

Brief description of NAT concepts

With IPv4 addresses all used up now, NATing has become a standard practice for my businesses and ISP's in order to spread their remaining addresses as thin as possible.  Although IPv6 is becoming a more popular and available alternative, it will still be awhile before it starts to become commonplace.  This is becuase it can require a complex network configuration, as well as possible new hardware, making it an expensive and time consuming approach.  Most people have decided to use NATing in the mean time.

NAT stands for network address translation and, in the most basic description, is typically used to translate public, or internet routable IP addresses to private, or non internet routable IP addresses, and vice versa.  A lot of people tend to confuse this technique with PAT, or port address translation.  You can find a more detailed description of NATing and PATing, as well as their differences here.  Basically, PATing translates multiple private IPs to a single public IP and uses ports to track the different connections from the different inside IP addresses.  This technique is typically used by ISPs for residential internet service.  A lot of people will use port forwarding on their home router, in order to access their PCs or other devices at home from the internet.

In the next section I will describe a technique known as policy NATing that will allow you to have a really granular way to configure your NATing and can even integrate PATing into the mix!

Sync files and access them anywhere with dropbox

I had mentioned in my previous post a service called Dropbox. The truth is there are a lot of "cloud storage" services, such as Amazon's EC2 and Ubuntu One, but I prefer using dropbox for a couple of reasons. One major reason is that dropbox has clients for most major platforms, including windows, linux, mac, android, iphone, etc. Another reason is that, while most other free versions have the same amount of initial storage, Dropbox has the added benefit of giving you ways to increase your storage. Dropbox will give you up to 3GB of extra storage for a total of 5GB. For every referal you get for Dropbox, they will give you 250MB of extra storage. You can also get extra storage for things like publishing an ad from your twitter account.

So once you pick the storage service of your choice, what do you use it for? Well, there are a lot of great ideas, such as the ones in this Lifehacker article. One of my favorite uses is to sync my keepass database across multiple computers. When I make a change on one computer, the database is then synced between the rest of my computers. This solution is a lot better than constantly updating each individual computer, or carrying around a jumpdrive with the database on it! I also like to use the public file feature in order to share files or pictures with friends and family.

So checkout Dropbox or one of the other great storage services and have fun!

P.S. if you like this article, maybe you can give me a referal as a thank you! Just click here to give some props!

Make better passwords and keep them safe and accessible

I can't tell you how many times I have seen some of the most basic and easily guessible passwords used by people.  Even for something as important as their bank account!  Most people don't understand that with all of the different types of password attacks out there, such as brute forcing, rainbow tables, etc. it is becoming ever more important to create stronger passwords.  Most people use basic passwords that might be a single word, or a combination of words like "ilovemydog". 

The best practice to use today would be to create passwords consisting of a long string of random characters.  Most people don't do this because they want to be able to remember the password.  This is where password programs come in to play.

My personal favorite password software is keepass.  You can go here to download the program.  It's available for almost any platform, including windows, mac, linux, and even the iphone and android phones!  The reason I use this software is because it creates an encrypted, password protected database of your passwords, which I would consider to be a hell of a lot safer then writing them down on a piece of paper that you keep at your desk, which most people still do!  Another reason I like this software is because there is a built in password generator.  You can have the software create a long random password for you.  Now you don't have to worry about remembering any passwords, accept for the password to keepass!  You simply find the entry for what site you need the password for and either copy and paste the username and password, or have keepass fill the information in for you.  There are also a bunch of plugins for you to add functionality, such as an auto form fill out feature that can add info like your name, home address, etc. on a site instead of you manually entering that information in.

Keep in mind that this is only one of many different password management programs.  This just happens to be the one I use on a daily basis and would recommend to most people.

So take a look at keepass or other password programs and give it a shot.  I know it takes getting used to and it may seem like a pain at first, but it sure beats having your accounts hacked into or your identity stolen!

In my next post, I will show you how to synchronize your password database with multiple devices, so that you can always have access to your latest password database.