Tuesday, February 15, 2011

Satan & Santa - Juniper SRX5800 cluster

Starting for January, I work in a new role (Advanced Services), doing consulting for software upgrade review/recommendation, configuration review, design review, optimization.. finally I'm extremely happy with my job:)

Last week setup a powerful Juniper SRX5800s cluster (easily this is one of the most ridiculously powerful firewall available running the world today.. it has in total 8 SPCs (security processing card) & 6 SCBs (switch control broad)  some 10 GE interfaces...

almost 2x120 Gbps of firewall performance, 2 x 30 Gbps VPN... I have no clue how much, I wont be surpise if this cluster cost more than 1 million US$ :-B

I am not a fan of faster/bigger is better (on the contrary! I am security is paramount...), but still very impressive :)

Suddenly I feel strange, remembering me how I was so excited ~9 year ago I started to configure firewall for a small (dead) service provider...





show chassis hardware
node0:
------------------------------
------------------------------------------
--
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                JN115B944AGA      SRX 5800
Midplane         REV 01   710-024803   ABAB5733          SRX 5800
Backplane
FPM Board        REV 01   710-024632   YR4034            Front Panel
Display
PDM              Rev 03   740-013110   QCS1449506M       Power
Distribution Module
PEM 0            Rev 03   740-023514   QCS1446E04F       PS 1.7kW;
200-240VAC in
PEM 1            Rev 03   740-023514   QCS1446E003       PS 1.7kW;
200-240VAC in
PEM 2            Rev 03   740-023514   QCS1446E02U       PS 1.7kW;
200-240VAC in
PEM 3            Rev 03   740-023514   QCS1446E043       PS 1.7kW;
200-240VAC in
Routing Engine 0 REV 08   740-023530   9009060144        SRX5k RE-13-20
CB 0             REV 05   710-024802   YV4022            SRX5k SCB
CB 1             REV 05   710-024802   YV3961            SRX5k SCB
CB 2             REV 05   710-024802   YW7506            SRX5k SCB
FPC 0            REV 16   750-023996   YW9925            SRX5k SPC
 CPU            REV 04   710-024633   YX0218            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           SPU Cp
 PIC 1                   BUILTIN      BUILTIN           SPU Flow
FPC 1            REV 16   750-023996   YW9917            SRX5k SPC
 CPU            REV 04   710-024633   YX0651            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           SPU Flow
 PIC 1                   BUILTIN      BUILTIN           SPU Flow
FPC 2            REV 16   750-023996   YW4597            SRX5k SPC
 CPU            REV 04   710-024633   YX0132            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           SPU Flow
 PIC 1                   BUILTIN      BUILTIN           SPU Flow
FPC 3            REV 16   750-023996   YW9904            SRX5k SPC
 CPU            REV 04   710-024633   YX0536            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           SPU Flow
 PIC 1                   BUILTIN      BUILTIN           SPU Flow
FPC 8            REV 23   750-020235   YG1352            SRX5k DPC 40x
1GE
 CPU            REV 04   710-024633   YG9211            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           10x 1GE RichQ
 PIC 1                   BUILTIN      BUILTIN           10x 1GE RichQ
 PIC 2                   BUILTIN      BUILTIN           10x 1GE RichQ
 PIC 3                   BUILTIN      BUILTIN           10x 1GE RichQ
FPC 9            REV 23   750-020235   YG1355            SRX5k DPC 40x
1GE
 CPU            REV 04   710-024633   YG9238            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           10x 1GE RichQ
   Xcvr 0       REV 01   740-011613   AM0820S9UL6       SFP-SX
 PIC 1                   BUILTIN      BUILTIN           10x 1GE RichQ
 PIC 2                   BUILTIN      BUILTIN           10x 1GE RichQ
 PIC 3                   BUILTIN      BUILTIN           10x 1GE RichQ
FPC 10           REV 24   750-020751   YV9082            SRX5k DPC 4X
10GE
 CPU            REV 04   710-024633   YX0577            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 1                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 2                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 3                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
FPC 11           REV 24   750-020751   YW6773            SRX5k DPC 4X
10GE
 CPU            REV 04   710-024633   YX0455            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 1                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 2                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 3                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
Fan Tray 0       REV 05   740-014971   VT3322            Fan Tray
Fan Tray 1       REV 05   740-014971   VT3276            Fan Tray

node1:
------------------------------------------------------------------------
--
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                JN1159C59AGA      SRX 5800
Midplane         REV 01   710-024803   ABAB5709          SRX 5800
Backplane
FPM Board        REV 01   710-024632   WY3825            Front Panel
Display
PDM              Rev 03   740-013110   QCS1449507C       Power
Distribution Module
PEM 0            Rev 03   740-023514   QCS1446E02Y       PS 1.7kW;
200-240VAC in
PEM 1            Rev 03   740-023514   QCS1446E03Z       PS 1.7kW;
200-240VAC in
PEM 2            Rev 03   740-023514   QCS1446E01T       PS 1.7kW;
200-240VAC in
Routing Engine 0 REV 08   740-023530   9009060415        SRX5k RE-13-20
CB 0             REV 05   710-024802   YV3883            SRX5k SCB
CB 1             REV 05   710-024802   YV3992            SRX5k SCB
CB 2             REV 05   710-024802   YW7457            SRX5k SCB
FPC 0            REV 16   750-023996   YW9933            SRX5k SPC
 CPU            REV 04   710-024633   YX0595            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           SPU Cp
 PIC 1                   BUILTIN      BUILTIN           SPU Flow
FPC 1            REV 16   750-023996   YW4438            SRX5k SPC
 CPU            REV 04   710-024633   YX0596            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           SPU Flow
 PIC 1                   BUILTIN      BUILTIN           SPU Flow
FPC 2            REV 16   750-023996   YW9909            SRX5k SPC
 CPU            REV 04   710-024633   YX0552            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           SPU Flow
 PIC 1                   BUILTIN      BUILTIN           SPU Flow
FPC 3            REV 16   750-023996   YW4422            SRX5k SPC
 CPU            REV 04   710-024633   YX0377            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           SPU Flow
 PIC 1                   BUILTIN      BUILTIN           SPU Flow
FPC 9            REV 23   750-020235   YG1346            SRX5k DPC 40x
1GE
 CPU            REV 04   710-024633   YG1682            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           10x 1GE RichQ
   Xcvr 0       REV 01   740-011782   P9720L1           SFP-SX
 PIC 1                   BUILTIN      BUILTIN           10x 1GE RichQ
 PIC 2                   BUILTIN      BUILTIN           10x 1GE RichQ
 PIC 3                   BUILTIN      BUILTIN           10x 1GE RichQ
FPC 10           REV 24   750-020751   YW6741            SRX5k DPC 4X
10GE
 CPU            REV 04   710-024633   YX0581            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 1                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 2                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 3                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
FPC 11           REV 24   750-020751   YV9104            SRX5k DPC 4X
10GE
 CPU            REV 04   710-024633   YX0576            SRX5k DPC PMB
 PIC 0                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 1                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 2                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
 PIC 3                   BUILTIN      BUILTIN           1x
10GE(LAN/WAN) RichQ
Fan Tray 0       REV 05   740-014971   VT2870            Fan Tray
Fan Tray 1       REV 05   740-014971   VT3536            Fan Tray

Labels: , ,

Wednesday, February 9, 2011

again again another 0-day that can be exploited via IE.. seems to affect all windows plaforms...

 To me one this is of the nasties type of vulnerability...


Microsoft Security Bulletin MS11-006 - Critical
Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)


simply a a "picture" in a web page is enough to gain remote access...

Historically this kind of vulnerability is too frequent for my "taste".

In the past, Microsoft still have the courage to post "mitigating factors" such:
Microsoft Security Bulletin MS06-026
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)



<snip>

Mitigating Factors for Graphics Rendering Vulnerability - CVE-2006-2376:
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. Also, Web sites that accept or host user-provided content or advertisements, and compromised Web sites, may contain malicious content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger request that takes users to the attacker's Web site.
<snip>
 :( there are plenty a way to fool user accessing the malicious website...


Now at least they write more sensible mitigating factor:

<snip>
Mitigating Factors for Windows Shell Graphics Processing Overrun Vulnerability - CVE-2010-3970

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
  • The vulnerability cannot be exploited automatically through e-mail.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

<snip>

Labels: