ryanreed.NET

Just got around to updating the 'ol resume and Monster.com profile. I need to update the resume a tiny bit more to include the new company, SecureWorks as the sale has been completed.

I also need to export the new resume to pdf. Ah, no rush, I suppose.

Quick update. I passed my CCSA exam today. 3 certs this year and counting. CCNA coming very soon.

Quick update, just got my JNCIA certification. Wasn't as bad as I thought it would be.

I decided that after working on various Pix and ASA firewalls, that it would be nice to have a VPN generator that could easily output the code needed to setup a site to site VPN. Apparently, someone at the 'ol workplace had created one but I only realized it after I ha mostly created the script. Ah well, not a huge deal.

So what are some of the feature of the generator?

• Has the ability to generate version 6 or 7/8 code for VPNs
• If not pre-shared key is entered, a random key will be generated
• The information stays on the page and is not posted. All the processing is done on the client's computer so that the sensitive information isn't transmitted over the internet

There are a few things this script does not do

• It will not create the access-lists required (for the encryption domains)
• The NONAT will not be generated (leaves it open to the user to decide if NONATting is desired, etc)
• Has not been completely tested as of yet (syntax wise)

Because I'm all for openness, I'm releasing the script under the GPL. Take it, enjoy it. A small request, if you modify the code, let me know. I'm a curious one.

Pix/ASA Site-to-Site VPN Generator

I have to say that of the three main firewalls I work with on a daily basis, the Netscreen is one of the best out there. All 3 firewalls have their pros and cons:

Checkpoint

• Pros
• Easy to use and understand
• The gui is built for ease of use
• tcpdump is one of my favorite tools to sniff traffic and it works well the Nokias and Crossbeams
• Cons
• The log viewer seems to "lie" sometimes, not showing the proper rule numbers at times
• Editing rules via CLI is extremely tough

Cisco Pix/ASA

• Pros
• Fast
• Relatively easy to use
• Lots of documentation online and on Cisco's website for many things
• Cons
• I'm not a personal fan of the capture command, although it does work
• Trace routes are not stateful and only the newer versions can actually perform a virtual inspection of those packets

Juniper Netscreen's are excellent firewalls. They tend to be extremely quick and the commands are straight forward. The log viewing on the firewall is excellent and gives a good amount of information. The only issue I have with these firewalls is the gui, the Netscreen Manager. NSM has some excellent features and the gui tends to be relatively easy. Unfortunately it's programmed in Java. The app can be extremely slow and unresponsive. When running NSM on the local machine, the software has a tendency to max the cpu usage for a while. The newest NSM software version I've been using (can't recall the exact version, sorry) has a memory leak that causes the application to eat up memory until all the free memory on the machine is being used by NSM. The only way to solve the issue is to minimize the app for a minute or to close NSM and reopen it.

I should reiterate the point that I do like Netscreens. I even own a Netscreen 5xp for my own home use. I do wish that they would work on improving the Netscreen Manager. I'm not a fan of using Java for the app. If they ever overhaul the application, I think it could be the best firewall on the market. I would still recommend for small offices and home use the Netscreen 5XP and for the larger business/organizations, take a look at their higher end products.