So yeah, I've been studying. My resources include, the JunOS Security book, from O'Reilly, and the JunOS 10.4 SRX Documentation. I have also built a home lab with three Junipers SRX 210H routers, an EX3200 switch, and eight virtual Juniper routers. I picked up the hardware on eBay. I assembled the virtual Juniper routers using the Olive technique which is documented allover the web. Just google it!
To the untrained eye, my equipment doesn't seem all that impressive lying atop my home office filing cabinet. Usually, the first comment from a visitor is: "Damn what's that noise! Can you work with that thing on?". Of course I can focus with the EX 3200 fans whirling, silly visitor! To me, it's like a bubbling brooke in the forest.
I have plugged the three SRXs into my EX switch. The EX switch has a cable running into the network card for my iMac. I then feed the connection to a running VMware instance hosting my eight virtual Juniper routers. Unfortunately, I was unable to get 802.1q working between the SRX routers and Olives. VMWare Fusion doesn't support 802.1q. I was really disappointed by that. I had to put everything in one vlan and I used separate subnets for the connections to create the topology below.
The ISP Network AS1 is running MBGP with two route reflectors, OSPF for the IGP, RSVP, a full LSP mesh, and MPLS with 2547biz supporting the SuperCorp remote sites. Each CPE connects to two PE routers with BGP. I know what you are thinking! It's definitely overkill for the security track, right? Wrong dude! This was much more fun than just cabling the SRXs directly to each other. It will also serve as a base for the Service Provider track (my next track!).
The SRX routers will serve as my platform for learning the the JNCIP-SEC objectives. I also have two Linux virtual machines. One VM is running BackTrack 5 and will be my attacker machine. The other VM is running Web Security Dojo. The WSD VM will be my vulnerable server that needs protection.
I'll add articles and configurations from that work in future posts.
If you have absolutely no idea what a JNCIP-SEC is, you can learn more about Juniper Networks Certification tracks by pointing your favorite web browser to:
http://www.juniper.net/us/en/training/certification/certification-tracks/
