The topology below depicts a standard three tier application comprised of a web front end with a load balancer, application tier and a database backend. Each tier is a separate IP subnet on a logical switch connected to a logical…

When you speak of security architectures the word Micro segmentation isn’t new. A Micro segment or a small subset of a larger overall has its roots in the financial industry. When micro segmentation is brought up in terms of a…

Security is an industry that can excite and frustrate, extract tears from the unsuspecting and cause insurmountable problems when protecting among many disparate systems. For a long time security was an after thought and something that was bolted on. If…

Spirent Avalanche Next

Spirent provides a focus on network and application testing software. Their traditional markets focused on cloud providers, hardware vendors, and traditional service providers. Recently Spirent has made plays into the Enterprise market with devices such as AXON for enterprise hardware,…

JNCIS Security exam review

Today I sat the JNCIS-SEC exam. I felt it was a fair exam and I am going break it down. It capped off a year of certifications for me as I have worked on transforming my knowledge and applying myself…

The Context aware modules for the Cisco ASA provide enhanced functionality for L7 services. These include but are not limited to URL category/reputation databases, HTTP inspections, AVC, TLS proxy, TCP Proxy, and Multiple Policy decision points. The management of these…

My previous post focused on using access-lists that we based upon Fully Qualified Domain Names. This recently has posed a solution for some works that have been undertaken. Even though it might seem quite straight forward to implement – there…

A recent change came through which required a geo-spatial map data server from an isolated network to cache maps from various public entities. The geo-spatial database calls upon various websites.  The use of Bing, Google, government agencies, traffic management combine together…

So what is DHCPv6 client mode and why can this help me? A while back Ivan Pepelnjak commented on the blog asking if the SRX had DHCPv6 client features such as IA_PD and IA_NA. Now as of version 12.1×45-D10 these…

I have managed to get the QEMU version of ASA running inside Ubuntu 12.04. Previously I have installed this on Windows and OSX. The trifecta will be complete with this post with the ASA running inside Ubuntu. Similar to the…

As per the previous blogs if you have followed from the start you will notice you have downloaded, installed, and configured your Juniper SRX to support IDP technologies. This is a great start. For most users the default templates defined…

Juniper’s SRX family offer the ability to perform much more than firewalls, access-lists, and NAT. As a part of their Unified Threat Management suite (UTM), Intrusion Detection and Prevention (IDP) is a vital part to a layered approach to security.…

Time to get into some access-list tips. I am going to make a management zone and want to control which protocols.First make the address book entry we will use to define our management hosts. set security zones security-zone trust address-book…

Forward As I mentioned last  earlier, I have been asked about being apart of the Thwack Ambassador program and my first post went up. I am linking to it now for my readers who follow my blog and may not be aware of the…

A functional zone is a unique type of zone. The SRX family has only one type of functional zone applicable to it. The management zone is designed to have a physical interface allocated to it which allows true out-of-band management.…

Forward As I mentioned last week that I was apart of the Thwack Ambassador program and my first post went up. I am linking to it now for my readers who follow my blog and may not be aware of the…

In a branch office you generally have workers who work standard business hours. These generally exist between the hours of 0700 and 1800 hours. Most branches have VOIP handsets or APs that run off PoE. These do not need to…