JNCIE-SEC #374 – It finally happened

This post is about my Journey becoming JNCIE-SEC #374. Sorry for taking so long but this Blog-Post really needed my special attention because there are many personal feelings involved with the way from JNCIA-JunOS up to JNCIE-SEC.
When I started my long journey, I found many Blog Posts about this Topic. I knew that one day I would do the same – give something back – and writing about my experience. And boy am I proud that this day finally has arrived… 🙂

After talking to a lot of network-folks I decided to also provide some insights into my lab and the time-schedule that I created myself for the training – hopefully, this will help some of you.

SPOILER:
You will NOT find any Info about the actual Exam, nor any “illegal tips” or stuff like that – if you know me a bit better you know why. The Expert is the most valuable Exam – in my Opinion even higher than a degree in IT because this Exam will not only show you boring Theory but will show you the “real world”. And I want to keep it like that – I know this value and I have taken the path that I would never ever destroy – so please don’t contact me via Mail “Hey Chris – can you send me the actual topology?” – Please understand this – thanks.

 

In case you are still reading – congrats – you seem to be willing to really “study” for this Exam and you want to learn something – and I will guide you.

First of all: In my Opinion, the Expert-Prep is not about learning all the Topics (which are massive) in every detail (but of course this helps) – the Exam is about Time and T-Shoot capabilities. You need to be able to decide in a couple of minutes how to actually solve a given Network Problem – these problems are not some Sci-Fi-Stuff – they are real problems that would face you in the real-world by a customer. After my first attempt I was leaving the Exam Room and thought 2 things:

1) Holy smokes – the topics weren’t as hard as I thought – no “traps” or “mean questions”
2) Holy smokes – how should I do all this in only 8 hours and verify all this…

When I started my journey in 2016, I purchased the inetzero Books, that most of the Experts I talked to also used for all the Tracks – and boy was this helpful. I can only recommend you to give them a shot: https://www.inetzero.com/

In many Blogs you will read, that the inetzero book is enough – I personally would say, that this is only partially true – because if you don’t know how to create a proper “strike plan” (by the way special Thanks to Udo Steinegger for providing an excellent JNCIE-SEC Bootcamp) you already lost…

Most of this will be addressed in Junipers official Bootcamp – which I also took and which was very helpful because only JNCIE’s will “teach” this Bootcamp as far as I know. You already know the Topics if you took the Professional Course, but having an actual JNCIE telling you how to create “strike plans” and how to “calm your mind” is priceless. That was my motivation to go for the Bootcamp. Of course, you have to decide for yourself.

Ask yourself this:
Do you know how to calm your mind even in the most stressful situations and do you stay calm and focused when presented with a complete unknown topology with a completely unknown number of devices and complete unknown tasks that you have to do in a short amount of time?

If you answered this partially no –> Go for the Bootcamp – or work inside a NOC where the Customers keep calling you, telling you, that this problem is the most important in the world and you were just born to solve this problem because every customer calling the NOC is a VIP – not always entertaining but this helps a lot 😉

After my first attempt I knew, that the Exam was doable (who would have thought) – I mean I knew that before but once you actually tried the Exam, felt all the pressure inside this room and have this “only 8 hours” feeling, you start to lab different than before – JunOS Shortcuts, for example, are your friend. So after this first attempt, I went straight to my Hotel-Room and tried to remember the Topics that I struggled with the most. I got this tip from a friend – don’t wait until the next morning – most of it will be forgotten. Write down every part that you thought you screwed up or that was not working easily for you. With this List, you can go to your lab again and train, train, train.

I personally labbed 100% virtual – this has pros and cons.

Pro:
I installed myself EVE-NG (basically my life savior because doing Expert-Labs in ESX is ugly and painful and takes a lot of time…) and could basically lab from anywhere, anytime.
+ Waiting at the customer’s site between 2 calls? –> Lab
+ Waiting at the airport for the plane? –> Lab
+ Going by train –> Nice –> Lab time
+ Can’t sleep because of a problem bugs you and you still want to test the newest vSRX in parallel? –> Great –> Fire it up and Lab it 😉

Cons:
Well since you can basically lab from anywhere and you are a “freak” like me, you most likely will lab from everywhere:
+ Waiting at a romantic dinner table for the food (sorry sorry sorry Darling) –> Lab
+ Waiting at the cinema for the movie to start –> Lab
+ Waiting at the bar for the next drink –> Lab

It’s also important to “take a day off” – regenerate and start fresh again.

So I knew that I would most likely not “one-shot” this thing –> So I stayed focused and waited roughly 2 Months until the next attempt. I really felt like I could do it (you will read this again later) and got there super excited. In attempt No. 2 I scored even higher than the first time – but still failed. I got a bit frustrated and started to question myself because I was still many points behind the passing Score (no I will not tell it of course). Luckily for me, I have family and people always cheering me up. The Juniper Community is the best in my opinion, regardless of Partners, Juniper themselves or Customers – there are so many awesome people out there that I have met – this made the difference I think – I don’t know If I had taken another shot without all the support that I got. It’s more fun to go this road with family and friends – they might not know what you are talking about, but they can ask you prepped questions, that you have to create for yourself.

So for attempt No. 3 I prepped myself some “flashcards” like back in school. I thought of questions, that my family could ask and the answers that I would need. I ended up with roughly 90 Flashcards regarding all the Topics – especially the “pain” ones. While taking a walk through our town – which I do almost every night before going to sleep – my wife constantly asked me with the help of this flashcards – later she remembered the questions and the answers herself, so I think she could do the JNCIP-SEC now 😛 😉

3 Months after attempt No. 2 I thought that it was time for No.3.
During that time I moved from DiData to Telonic which made “staying focused” even harder. In this 3 months, I constantly learned with flashcards while in parallel I labbed and labbed and labbed – I created around 32 Topologies (this is very very easy in EVE-NG) to test every scenario that I thought would be helpful. Also, I prepped the Superlab from inetzero’s book in eve which was a massive help. I felt that I was faster and faster and took shot No. 3 – and boy did I hit the wall when I got the results –> Fail again…

At this point I have to tell you one thing:
I remembered: When I got my JNCIA-JunOS back in 2013 I had this dream – I wanted to become JNCIE – NO MATTER WHAT!
Yeah – jokes aside – I was pretty down and thought about never getting it – this is okay – it’s part of the experience of becoming an expert and I’m sure every expert knows this point.

After receiving the Fail for No.3 I immediately booked No.4 for roughly a month after No.3 because I knew that I was sooooo close – this time I focused more on the Labs and about “getting the point of the problems”. Knowing the Topics is good – very good – but you have to combine them in order to solve your customer’s Problem efficient. So I got through all the inetzero Labs again and again and I also labbed the whole Bootcamp again – no problem thanks to the workbooks and printouts. You may have seen this phase on Twitter – I motivated myself every day and tried to feel the joy of telling everybody that I finally made it.

And on the 3rd of July at my 4th attempt (now you know why I L O V E my JNCIE-SEC #374) I finally made it. This was kind of awkward –> you prep every day for almost 2 Years, solve every problem you find, attend Bootcamps and Labs and what so ever and all of a sudden you are there – this was hard for me to get. I literally checked every System (Acclaim, Cert-Manager, and Mails) against each other to verify that this was no mistake – It wasn’t.

This road was the most challenging task in my life so far – far harder than the apprenticeship – far harder than my work at the NOC and ProfessionalService – but would I do it again? Going through all this pain and “lost weekends” and suffering from thinking that I would never get there? Yes – Yes, Yes and Yes – I would do it again. I encourage you to do the same – The Expert is still the most valued Certification there is – not because it is impossible to do – but because there are so many factors that have to fit in order for you to get it. And if you fail? No one built Rome in one day –> go for it again. And again, and again, and again – don’t lose hope because you have read somewhere that someone got this on his first try – congrats to him but don’t let that drag you down –> stay focused –> visualize your goal and go for it –> look ahead, not back or sideways – get your Expert – not because you need to do it, but because you want to do it. And even if it takes 327 failed attempts – No. 328 will work (hope you get the point)


So my key points are:

+ Take your time to carefully design yourself test-labs and configs. Lab as much as you can and try to remember JunOS SHortcuts
+ Familiarize yourself with Notepad++ – It can help you a lot
+ Don’t let a fail drag you down – learn from it
+ Learn especially the Topics that you are “weak” in
+ Start Skype-Groups or forums with people also studying – this will also help you to stay focused
+ Learn how to calm yourself – sounds stupid – you can thank me later
+ Practice, Practice, Practice (you will, for example, find some practices in my other Blog Posts)
+ Try to understand the whole Picture – not just pieces
+ Take a good sleep before the exam day (you will be awake I know but try it)
+ Don’t go for a big Lunch on the exam day – you will regret it in multiple ways later…
+ MOST IMPORTANT: If you finally made it –> CELEBRATE IT!!! Take your Family and friends to Dinner and enjoy this moment.

I hope that my “novel” was not boring for you – If you need help to focus or just need someone to talk to about the JNCIE-SEC because you failed – contact me. Again –> not to gain knowledge about the actual exam –> but to get Infos from someone who recently did exactly the same.
As promised I will release some of my EVE-Labs and my training schedule for you to check – but note that this is a big help but still does not contain anything about the real topology. The Topics are listed on the official Website –> so I guess this shouldn’t be a Problem. If it is and you are from Juniper –> please let me know and I will take it down immediately. But I think I know what is “safe to share” and what is “not safe” 😉

 

Christian Scholz
JNCIE-SEC #374

NAT64 with vSRX 15.1X49-D120

Yesterday, as part of my JNCIE-SEC Training, I reviewed NAT64 with the following Topology:

 

I pinged from Win to Winserver with Traffic going over Gemini(vSRX 15.1X49-D120), Pisces (vMX 17.3R1-S1.6), Pyxis (vMX 17.3R1-S1.6) and Virgo (vSRX 15.1X49-D120).

So far everything seems to run fine – sometimes a single ping gets dropped but with 1% loss this is okay for me:

For me the D120 runs stable and so far I did not experience any problems.
Below I pasted the configs in case anyone wants to recreate this Lab:

 

Gemini:

 

Pisces:

 

Pyxis:

 

Virgo:

NAT64 – Practical Example

On my way to JNCIE, NAT64 is also a Topic – below you will find a working example of how I achieved this – comments are welcomed 🙂

Site 1 (running 15.1 code)

 

Site 2 (running 17.3 code)

Hope this helps you all

Firefly Perimeter – OSPF over GRE over IPsec

After attending the JNCIE-SEC bootcamp last week, I saw that one topic was barely mentioned: The way of running OSPF over GRE over IPsec. Since this setup is barely used (because of various reasons) I thought, that this is post-worthy – so here you have a working config (running on Firefly 12.1X47-D35.2

 

Topology:

Config for Firefly-A:

 

Config for Firefly-B:

Hope, that this helps you if you ever have to do this or need to learn this…
Remember – this is just a sample – please use stringer ciphers if possible 😉

The JNCIE-Exam is getting closer and closer…

NAT64/46

Today I experimented with NAT64 / NAT46 a bit.
The Setup to test this is relatively easy:

I took 2 Windows-Servers (2008R2), one with only IPv4 and one with only IPv6.
The 2 SRX’es are dual-stack capable and have a transfer-subnet (IPv4) between them.

Test-Scenario: Serverv4 pings Serverv6’s “v4-Address”, which is actually a “Proxy-Address” on the SRX and gets the reply – without requiring the v6-Server to have an IPv4-Address. Reverse should be the same: The v6-Server pings a v6-Address but in the Background it is the v4-only Server that replies. This worked very nice and I hope to see more of that in the Future at the customers sites – and I bet I will since IPv6 gains more and more attraction here in Germany 😉

OSPF between a vSRX-Cluster and a standalone vSRX over vQFX on EVE-NG

I promised to deliver this and here it is: OSPF over vQFX 😉
These days I lab a lot with EVE and I love it more every day – the possibilities are endless and the Labs are very very quick configured and running. With 2 new CPU’s my EVE now runs with decent Speed so compared to VMware ESX 6.0 there is no extreme performance difference anymore. I can live with that. Since D63 on the vQFX is running very stable and smooth I thought of this small OSPF Lab – I will add more “Quick-Labs” in the Future.

WARNING:
The SRX in Clustermode runs very well on EVE – however there is an optical error. If you build a Cluster, the interface mappings on EVE are completely wrong. This is due to the SRX getting a new interface (em0) as second interface Card – so if you select ge-0/0/0 in EVE, you really select em0.

But why is that you will ask? The answer is simple:
EVE is not aware of Cluster-Naming or Cluster Interfaces – so you have to think twice, what you have to select – I needed Wireshark to see what happened…
From top down the first Interface in EVE is fxp0, the second Interface is em0, the third is ge-0/0/0 or 7/0/0, the fourth is ge-0/0/1 or 7/0/1 and so on (see the Table below from Juniper):

Once I figured that out I could successfully build the Cluster (this time fully working, not just partially) and here is the Lab:

Topology:

 

vSRX-NG5+6 (the SRX-Cluster):

 

 

vSRX-NG7 (the standalone SRX):

 

 

Lab-C01 (Coreswitch 01, vQFX running 15.1X53-D63.9):

 

 

Lab-C02 (Coreswitch 02, vQFX running 15.1X53-D63.9):

 

Download this Lab for your EVE here: (Size 16kB, zip-Archive)
EVE-OSPF-vSRX-vQFX-Lab

Running vQFX 15.1X53-D63 on EVE (KVM)

The KVM version of the latest vQFX routing engine VM (vqfx10k-re-15_X53-D63) seems to be broken. If you try to run it, it will crash with a kernel9 panic and will never boot up completely.
However you can “cheat your way around this”:

1.) Simply download the Vagrant .box file of the D63 RE.
2.) Extract the .box File with 7zip – you will extract a file with no extension.
3.) Extract this file again and “magically” a file called packer-virtualbox-ovf-1491593710-disk001.vmdk will appear.
4.) Upload this to eve, convert it to hda.qcow2, fix permissions and run it – voila: D63 on EVE.

 

PFE is the same (no D63 Version available, since the PFE is not tied to a Software Version).

It’s always a good idea to dig around the provided Files from Juniper once something breaks 😉

Download the Files here: http://www.juniper.net/support/downloads/?p=vqfxeval#sw

The itself not so secure JIPS-Course

Last week I attended the 2-days JIPS (Junos Intrusion Prevention Systems), which will soon be part of the shiny new 5-day AJSEC (hopefully way way way better)…

Anyways – currently this was an official Juniper course so for the preparation for my JNCIE-SEC I thought, that it might be wise to attend it in order to prepare myself for some IDS / IPS – baaaaaad mistake and wasted time…

I like to share the following picture with you:

Yes – we have 2017 – and yes, the official course includes:

Windows Server 2003 (at least someone patched it to SP2…)
Wireshark 1.0.8 (from – well – I honestly don’t even remember when this came out…)
CentOS 5.4 (from 2009!!!)
NSM2009.1 r1 (Jesus Crist I thought this was already buried 7 years ago…)
JunOS 12.1R2.9 (Well, I have seen 11.1 in the field, so…)

Guys – 2017 – for a freakin security course you should/could have done way better…
I suggest for the new course you should look for:

Windows Server 2016
Wireshark 2.2.6
CentOS 7.3
JunOS Space Security Director 16.2
JunOS 12.1X46-D65 or even better instead of SRX240-H (which is EoL by the way), use the new SRX340 with 15.1X49-D75 or the vSRX…

I am very disappointed and this was beyond a doubt the worst course I ever had to attend. Don’t get me wrong – the (old) AJSEC was great – very interesting stuff and somewhat usable for up-to-date SRXes. But the JIPS – even sitting inside the hotelroom and looking out of the window would have told me about security more than this. Now I will have to recreate myself some IDP-Patterns and hopefully the exam won’t have much to do with it.

If you want more Infos – well – you know how to reach me…

In my opinion this course should have been EoL in 2012 at latest or someone should have upgraded it properly to show new IDP techniques, patterns and maybe more about finding ransomware-patterns.

Of course I will not blackmail the Training-Partner – because he got the Lab straight from Juniper.

SRX ssh brute-force countermeasures

It’s always a good idea to secure and also harden your SRX in case it is reachable via the Internet.
Today I labbed a bit to see if this Filter actually works.

 

For this Lab we setup the “system login retry-options”:

Now to the Options we have:

tries-before-disconnect: Sets the maximum number of times the user is allowed to enter a password to attempt to log in to the device through SSH or Telnet. When the user reaches the maximum number of failed login attempts, the user is locked out of the device.

backoff-threshold: Sets the threshold for the number of failed login attempts on the device before the user experiences a delay when attempting to reenter a password.

backoff-factor: Sets the length of delay in seconds after each failed login attempt. When a user incorrectly logs in to the device, the user must wait the configured amount of time before attempting to log in to the device again.

lockout period: Sets the amount of time in minutes before the user can attempt to log in to the device after being locked out due to the number of failed login attempts specified in the tries-before-disconnect statement.
You can read the full explanations here:
https://www.juniper.net/documentation/en_US/junos/topics/example/system-retry-options-configuring.html

 

 

After that (to see it more easy), we create a syslog-file for just the ssh failed attempts:

What this does is basically telling your SRX to log all failed ssh-attempts to a file called ssh-logs.

This way, your SRX is ready to take on almost every script-kiddie brute-force attack and logs every failed attempt.

Be sure to check the file from time to time – and remember: change your passwords from time to time and use at least 64 letters and numbers, hash-signs, virgin-blood and so on –> you get the idea right? 😉