Our standard architecture for private clouds includes security appliances that pr.. [READ MORE]
I'm excited to announce a new position here at Redux for the role of a Drupal Architect.
Just what is a Drupal Architect?
- A contributor to the Drupal community through code or user assistance.
- A Drupal developer who has been exposed to business critical Drupal stacks.
- An architect assisting in the ongoing evolution of our Enterprise Drupal Stack.
- One who is willing to evangelize within the Drupal community.
This is a full time position based in our Portland, Oregon headquarters.
If you fit the role of a Drupal Architect please send your resumes to join@networkredux.com.
-Thomas
How fast is Drupal on a Network Redux Enterprise Virtual Server? Our clients know. Now we'd like the industry to know.
We are opening up ten (10) slots for ten new client/companies to submit a request for a Drupal Optimized platform on our Enterprise Virtual Server platform. This is a first come first serve basis and the first year is free. You may use this for personal or non-profit or corporate purposes, no strings attached.
*The Ingredients?
- Datacenter: Internap Seattle (SEF003)
- Carriers: (9) 10Gbps / MIRO
- Routing Platform: Juniper MX
- Switching Platform: Force10 C Series
- Hypervisor: Citrix XenServer Enterprise Edition
- Guest OS: Ubuntu 10 LTS
- Userland: Our own brew
- Dedicated Processor: (1) 2.8Ghz Xeon Core
- Dedicated Memory: 2048MB
- Dedicated SAS-15K SAN Storage: 24GB
And fully managed by our team of software engineers and system architects.
Ready to try one out at no cost for the first year? Send us your request to drupal@networkredux.com and we'll take the first ten inquiries from those of you who are looking to enhance your drupal hosting experience.
Enjoy!
UPDATE We've received a lot of interest, but were out of our 10 slots! You can still get the Drupal stack on our normal EVS plans by emailing: sales@networkredux.com
Tags:
drupal,
evs,
virtual server
I wish this article had been published prior to engaging our first series of SRX units. Over the last couple of months we’ve actively deployed close to (20) SRX 240 units, primarily in active/passive chassis clusters.
Quite a few of our customers rely on VPN connectivity to manage their private clouds. Quite a few of our clients are also Mac shops, similar to our organization.
A popular, yet expensive VPN client is made by our friends at Equinux called VPN Tracker. This is without question the most powerful and robust VPN client I’ve ever seen on any platform be it Mac, Windows or Linux.
That being said, during a transition from Watchguard to Juniper as our Security gateway provider (and Force10 to Juniper MX for Routing) a poor assumption made on our part was that the SRX series was supported out of the box by VPN Tracker. This article is being written because it was, and currently is not supported.
For anyone following the Juniper Security track, it is clear from the writers of JunOS Security by O’Reilly that the SRX is being geared to replace the Netscreen and SSG families. ScreenOS will be no more, JunOS is the future for security at Juniper.
Through a combination of many resources including but not limited to Juniper TAC, a third party site to site (not dynamic VPN) windows based IPSec client (which had documented support by JunOS) and a great deal of troubleshooting I was able to engineer a working configuration for IPSec connectivity from VPN Tracker to an SRX endpoint.
Lets start by saying the standard proposal set should not be used. This was my first glimmer into not using default sets within JunOS. This essentially predefines a set of criteria to be used for the proposal to have a conversation and engage with the endpoint. Specifically:
standard - Standard set of two set of IKE proposals: Proposal 1— Preshared key, 3DES encryption, and Diffie-Hellman Group 2 and SHA-1 authentication. Proposal 2—Preshared key, Advanced Encryption Standard (AES) 128-bit encryption, and Diffie-Hellman Group 2 and SHA-1 authentication.
Despite all efforts we could not engage in a Proposal 1 agreement within VPN Tracker, initial theory is on the Triple DES encryption. What follows is a documented and working proposal set to use for your Dynamic VPN IPSec configurations within JunOS:
set security zones security-zone Public interfaces ge-X/X/X.X host-inbound-traffic system-services ike
set security ike proposal PSK-AES128-SHA1-DH2 authentication-method pre-shared-keys
set security ike proposal PSK-AES128-SHA1-DH2 dh-group group2
set security ike proposal PSK-AES128-SHA1-DH2 authentication-algorithm sha1
set security ike proposal PSK-AES128-SHA1-DH2 encryption-algorithm aes-128-cbc
set security ike proposal PSK-AES128-SHA1-DH2 lifetime-seconds 28800
set security ike proposal PSK-AES256-SHA1-DH2 authentication-method pre-shared-keys
set security ike proposal PSK-AES256-SHA1-DH2 dh-group group2
set security ike proposal PSK-AES256-SHA1-DH2 authentication-algorithm sha1
set security ike proposal PSK-AES256-SHA1-DH2 encryption-algorithm aes-256-cbc
set security ike proposal PSK-AES256-SHA1-DH2 lifetime-seconds 28800
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposals PSK-AES128-SHA1-DH2
set security ike policy ike-dyn-vpn-policy proposals PSK-AES256-SHA1-DH2
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "XXXX"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname reduxftw
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type shared-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-X/X/X.X
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set security ipsec proposal ESP-AES128-SHA protocol esp
set security ipsec proposal ESP-AES128-SHA authentication-algorithm hmac-sha1-96
set security ipsec proposal ESP-AES128-SHA encryption-algorithm aes-128-cbc
set security ipsec proposal ESP-AES128-SHA lifetime-seconds 28800
set security ipsec proposal ESP-AES256-SHA protocol esp
set security ipsec proposal ESP-AES256-SHA authentication-algorithm hmac-sha1-96
set security ipsec proposal ESP-AES256-SHA encryption-algorithm aes-256-cbc
set security ipsec proposal ESP-AES256-SHA lifetime-seconds 28800
set security ipsec policy ipsec-dyn-vpn-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-dyn-vpn-policy proposals ESP-AES128-SHA
set security ipsec policy ipsec-dyn-vpn-policy proposals ESP-AES256-SHA
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
Pretty basic configuration, fill in the X’s where needed and you’ve got viable usage of AES128 or 256.
On the VPN Tracker side simply create a custom profile and fill in your phase 1 and phase 2 settings as appropriate.
Also, don’t forget to insert your Public_Bound source bound natting in front of your last resort source-address with source-nat off.
Lastly, remember that security policies in JunOS flow downward. Ensure your security policy to handle this traffic is in front of any-permit.
Hopefully this helps the next engineer working with similar platforms.
Any questions, I'm thomas@networkredux.com. Cheers.
Tags:
juniper,
junos,
srx,
equinux,
vpn tracker,
security,
ipsec,
dynamic vpn
Keeping our clients and readers up to date has been difficult these last few months given some significant growth within our organization.
Where to begin, well in the last two months the following has occurred:
- Network Redux has grown its revenue base by 20% in the last 8 weeks.
- We have doubled our capacity in Seattle / Sabey.
- Formally launched datacenter presence in New York City with Internap (NYM008).
- With our launch in NYC we are offering coast to coast SAN replication for Enterprise Clients.
- Marked our 7th year of business as of September 18th.
- Made a significant change in vendors for routing and security by consolidating these requirements into Juniper's MX and SRX series.
- Now hosting a local and well known www.webtrends.com
- Deployed significant changes and feature enhancements to our user Dashboard.
All of this fruit coming to bear while maintaining 100% ownership of our organization.
I am extremely proud of our talented team and welcome in our 8th year of business.
Cheers,
Thomas Brenneke, President Network Redux, LLC
Tags: none
Good news for our readers, followers and customers. We are actively hiring additional Devop oriented folks at our Portland, Oregon based HQ.
Those apply for these positions should find comfort in the following platforms:
- Ruby / Perl
- MySQL / Postgresql
- Mongo / Redis / Riak
- RHEL / CentOS / Ubuntu
- Citrix XenServer
- JunOS
This is a W-2 full time position working from our Portland offices in John's Landing.
With hard work comes many rewards, including but not limited to:
- Comprehensive medical, vision and dental insurance
- Flex-time
- Parking / Commute expenses covered
- Fault tolerant whiteboards (n+1)
- Organizational performance based bonuses
Please send messages directly to myself [thomas] @ {networkredux}.com.