Posts filed under Security

Juniper vSRX Firewall and VMWare Workstation 14

For a work related project, I wanted to run the Juniper vSRX firewall (v15.1X49-D110) on my work laptop by using VMWare Workstation Pro 14. Unfortunately, the installation (importing the Juniper vSRX OVA file resulted in a VMWare Workstation crash.

Juniper SRX and DHCP Client Challenge

A couple of years ago I wrote a post about a dual ISP config with a Juniper SRX firewall. At the time I ran into some challenges regarding the DHCP client functionality of the SRX. For some reason it couldn't get a lease from the Ziggo ISP DHCP servers. Any other DHCP server on my local network worked just fine. Since I created a work-around at the time (by using an additional NAT router and static IP addresses) I didn't give it much thought.... Until last week.

Last week I ran into a networking challenge that kinda freaked me out. For some reason my Apple TV wouldn't connect to my NAS, but it could connect to the Internet. For some reason my Apple TV got a public IP address while it was located on my internal network. The public IP address was completely unknown to me. So, WTF was giving my Apple TV a public IP address?

Posted on February 13, 2017 and filed under Internet, Security, Tips'n Tricks, Junos.

Configure NGINX as a Secure Reverse Proxy

NGINX (pronounced as engine-x) is a versatile (reverse) proxy service for Linux which can be used for many purposes. This post gives a relative small and easy example that I use at home for accessing insecure web services in my home. These are:

  • Domoticz
    Free and opensource Domotica software
  • SabNZBd
    Free and opensource software for downloading binaries from usenet. Available for multiple operating systems
  • Sonarr
    (former NZBDrone) is a so-called PVR (personal video recorder) for Usenet users, which checks multiple RSS feeds (also called Indexer) for new episodes of the shows you're following.

These services run on different platforms and are not protected by username/password or encryption. Something that's not done if you want to access this over the Internet.
To get secure access to these services you might want to use a VPN solution into your home, but you can also achieve this by using a reverse proxy that 'protects' these services.

I run my NGINX reverse proxy on Ubuntu Linux, but it will also run on the average Raspberry Pi.

Posted on January 29, 2017 and filed under Internet, Security, Tips'n Tricks.

Internet of Things (IoT) and Ransomware

Unfortunately, and no matter how funny the cartoon may be, this may be what the future is going to bring us if we're not careful.

Below are some of the online appliances (just random picks from Google):

The only item I couldn't find was the Internet-connected broom. But I guess that won't take long. The other items can all be bought with some sort of Internet connectivity, and are therefore potential vulnerable for abuse.

Posted on October 10, 2016 and filed under Annoying, Gadgets, Hardware, Internet, Security.

Why Encryption Matters

John Oliver addresses the need for encryption in an hilarious way. The clip is ~18 minutes, but well worth it.

If you still think that encryption is only used for evil (terrorism, child pornography, etc.), and that governments / security agencies should need (backdoor) access to your data..... Well, I'm not gonna end that sentence.

Posted on April 12, 2016 and filed under Fun, Internet, Privacy, Security, Video.

Run Juniper Virtual SRX in VMWare Workstation

The Juniper Virtual SRX firewall can run on multiple platforms, but VMware Workstation is not mentioned in the list of supported platforms. Having some experience with both, I know that almost all VM's designed for the VMware ESXi environment will run on the (stand-alone) VMware Workstation product.

I downloaded the .ova file from the Juniper website and imported it in VMware Workstation v12.1. During the import I adjusted the number of CPU's to save resources, which turned out to be a mistake. The VM really needs the two CPU's, because if you don't it just won't work (routing failures, etc..). So, don't change the defaults for CPU and memory.

Posted on January 12, 2016 and filed under Junos, Security, Tips'n Tricks.

Firefox v42 Tracking Protection

With the launch of Firefox v42 (and up) they introduced an adBlocker in the browser. The ad blocking feature is available (by default) during the use of Private Browsing.

But if you don't want to see those advertisements, and for some reason you don't want to use Private Browsing (like me), than you're out of luck (by default). There's no normal way to enable this feature without the use of Private Browsing (or use an adBlocker add-on for Firefox). Thankfully, Firefox uses a config module in which you can tweak almost everything.... including the Tracking Protection.

Posted on November 4, 2015 and filed under Browsers, Internet, Privacy, Security, Software, Tips'n Tricks.

Rsync And Encrypted Containers

My 'little' off-site Raspberry Pi backup/remote storage project will probably use a combination of Bittorrent Sync and rsync. The latter will be used to backup personal information, but I want that data to be absolutely secure. So I want to use encryption. Preferably by using container that I can mount (e.g. Truecrypt or the Apple OSX encrypted disk images).

The problem with containers is that many backup solutions tend to backup / transfer the entire container when a change occurred. Thankfully, rsync only copies the changes.

Posted on June 20, 2015 and filed under Raspberry Pi, Security, Software, Tips'n Tricks.

Create An 802.1x Evil Access Point

The last couple of weeks, I've been playing with Kali Linux to explore exploits on networks (wireless and switched networks). One of the exploits I'd liked to explore was that of an 'Evil Access Point' which can be done with Kali Linux and a suitable wireless LAN adapter.

An Evil Access Point creates an wireless network SSID to lure unsuspecting users/computers in to connecting to it. This network is pretending to use 802.1x for security (which is mainly used in corporate network environments), and those networks require typically a username and password (or certificate) to connect.

When the user/computer tries to connect, it (the evil AP) collects the user-name and a hash of the password. The password can be recovered by using dictionary files, rainbow tables, or by using brute-force. After the password has been found it can be used with the captured user-name to connect to the corporate network.

Posted on April 12, 2015 and filed under Security, Tips'n Tricks.