Sunday, September 24, 2017

Creat AWS Diagrams Online

I was looking for some online tools to create impressive AWS diagram for my learning process. Most of online diagram websites provide certain free usages. Here are some websites I found useful to me.

 

1. AWS 3D Diagram from Cloudcraft.co


It is quite impressive when I started to make my first diagram. Limit grid size is a big pain when you try to draw a detail diagram for your AWS VPC, but it is good enough to draw a three tier application deployment. 

Cloudcraft allows registered user to create AWS diagrams for free using all available components with some feature limited. Upgrade to Cloudcraft Pro for import of live AWS data and unlimited size diagrams. It can automatically calculate the cost for your design, and  also provides live connection to your AWS account. The smart components feature makes it much easier to connect other components you lay on the grid than any other websites I tried. Love it. So far, I think it is best site for me .

Monthly $49 can get your subscription to pro level to unlock those restrictions.


Building a 3S (Scalable, Stable and Secure) AWS Test Environment - Part 2


3.  Building a scalable AWS architecture (ELB, ASG, RDS)

  • create your security groups
  • create your EC2 keypari
  • create your RDS SQL instance
  • Bake your amazon machine image
  • create your launch configuration
  • create your auto-scaling group
  • create your elastic load balancer
  • test, break, fix, celebrate

3.1 Create your security groups (Firewall)


Wednesday, September 20, 2017

My Top Internet / Network Tools

There are lots of useful sites which helps the troubleshooting procedures. I listed some common tools or websites used by myself. Please let me know what you are using and I would like to try them and add them into this list.

1. Internet/Network Tools Portal
Ping – Shows how long it takes for packets to reach host
Traceroute – Traces the route of packets to destination host from our server
DNS lookup – Look up DNS record
WHOIS – Lists contact info for an IP or domain
Port check – Tests if port is opened on specified IP
Reverse lookup – Gets hostname by IP address
Proxy checker – Detects a proxy server
Bandwidth meter – Detects your download speed from our server
Network calculator – Calculates subnet range by network mask
Network mask calculator – Calculates network mask by subnet range
Country by IP – Detects country by IP or hostname
Unit converter – Converts values from one unit to another
DNS checks detailed dns information for a hostname ( www.facebook.com , www.yahoo.com , www.youtube.com )
IP-number checks ip number information such as dns reverse and forwards
route checks a specific routed prefix
AS numbers checks information on an AS-number
AS macros checks who belongs to an AS-macro

Wednesday, September 13, 2017

Building a 3S (Scalable, Stable and Secure) AWS Test Environment - Part 1

Gartner Magic Quadrant for Cloud Infrastructure as a Service, Worldwide June 2017
Gartner's Magic Quadrant
for Cloud Infrastructure as a Service,
Worldwide June 2017. 
According to Gartner, Amazon Web Services (AWS) has became as the undisputed leading cloud provider in the world. AWS is rated “the most mature, enterprise-ready provider, with the deepest capabilities for governing a large number of users and resources.” Gartner says it can satisfy the cool kids who want cloud-native and old hands who want to shift traditional workloads to the cloud, in part because independent software vendors have clambered aboard in large numbers.


AWS has a good documentation Quick Start deployment guide which present a good example to build a VPC environment with the following features:
  • Up to four Availability Zones for high availability and disaster recovery. Availability Zones are geographically distributed within a region and spaced for best insulation and stability in the event of a natural disaster. AWS recommends maximizing your use of Availability Zones to isolate a data center outage. 
  • Separate subnets for unique routing requirements. AWS recommends using public subnets for external-facing resources and private subnets for internal resources. For each Availability Zone, this Quick Start provisions one public subnet and one private subnet by default.
  • Additional layer of security. AWS recommends using network access control lists (ACLs) as firewalls to control inbound and outbound traffic at the subnet level. This Quick Start provides an option to create a network ACL protected subnet in each Availability Zone. These network ACLs provide individual controls that you can customize as a second layer of defense.
  • Independent routing tables configured for every private subnet to control the flow of traffic within and outside the Amazon VPC. The public subnets share a single routing table, because they all use the same Internet gateway as the sole route to communicate with the Internet.
  • Highly available NAT gateways, where supported, instead of NAT instances. NAT gateways offer major advantages in terms of deployment, availability, and maintenance.
  • Spare capacity for additional subnets, to support your environment as it grows or changes over time.



Monday, September 11, 2017

Cisco Router IKEv2 IPSec VPN Configuration

What is Differences between IKEv1 and IKE v2?
1. Different negotiation processes
− IKEv1
  • IKEv1 SA negotiation consists of two phases.
  • IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
  • IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
− IKEv2
  • Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

Friday, September 8, 2017

Juniper Space Security Director Policy Hit Counts Not Updated Automatically


Issue Symptons:
  • Normally, each firewall rule on the SRX auto-updates a snmp counter for hit-count, regardless of whether 'count' is configured or not.  Juniper Space Security Director periodically polls these OIDs and updates the hit-count.   
  • In Junper Space 16.1 R1, the issue found is unable to view policy hit counts from Juniper Space Security Director, but SRX itself is keep updating. 

Actions Taken:
  • Verify Security Appliance Policy Hits from Command line
root@fw-mgmt-2> show security policies hit-count 
node1:
--------------------------------------------------------------------------

Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       Vlan2              Vlan1        Baramondi_Monitor 0            
 2       Vlan2              Vlan1        10             4428         
 3       Vlan2              Vlan1        50             0            
 4       Vlan2              Vlan1        40             11136        
 5       Vlan2              Vlan1        default-logdrop 0            
 6       Vlan2              Vlan1        53             2007         
 7       Vlan2              Vlan1        54             0            
 8       Vlan2              Vlan1        55             0            
 9       Vlan2              MGMT              6              538          
 10      Vlan2              MGMT              23             0            
 11      Vlan2              MGMT              74             2            
 12      Vlan2              MGMT              default-logdrop 81           
 13      Office              Vlan1        default-logdrop 0            
 14      Office              Vlan1        60             447          
 15      Office              Vlan1        Office_Archive    0            
 16      Office              Vlan1        58             0            
 17      Office              Vlan1        Baramondi_Monitor-1 0            
 18      Office              MGMT              Office_Archive-1  0            
 19      Office              MGMT              default-logdrop 0            
 20      Vlan1       Vlan2               Baramondi_Rules 0            
 21      Vlan1       Vlan2               VA             0            
 22      Vlan1       Vlan2               A_Office_2_Vlan2    292          
 23      Vlan1       Vlan2               default-logdrop 1696         
 24      Vlan1       Office               VA-1           0            
 25      Vlan1       Office               Baramondi_Rules-1 0            
 26      Vlan1       Office               Device-Zone-1  0            
 27      Vlan1       Office               4              1299         
 28      Vlan1       Office               default-logdrop 0            
   ........


It is clearly there is hit counts on SRX itself, but they are not being pulled/pushed into Space. Log collecter has beenconfigured and it is receiving logs from this SRX.