Table of Contents


Last week I got asked by a customer what I think about the AWS Firewall and if it would be wise for him to implement it in his environment.
I browsed fast through the various tech documents about it, got initially confused and realised that this is not one of those topics that I was going to understand fast and move on.

I invested more time into it, started reading about rule groups, stateless, statefull rules and … I needed a break. There was surely no quick answer in sight.

Going into the topic even deeper I reached the proverbial French saying “je ne sais quoi”.

Would I implement this firewall in my own environment ?

Then again I’m a perfectionist, always afraid of failing…

I tend to find limitations, restrictions, imperfections and get easily disappointed.

If you want to learn I invite you to join me in this journey :)

Continue reading

Scapy - examples / usage

A customer asked me at some point if we could evaluate how the CoPP DDOS automated filters on a Juniper MX are triggered and how fast they respond to different types of packets. As such I needed to craft custom traffic. I was not very good at coming up with it for Ostinato or Spirent so I used Scapy to craft the packet. Afterward I took the packet hexdump and input it into Spirent / Ostinato as what the streams from there should generate (that hexdump has indeed all data needed, source/dst addresses included which meant of course that it needs to match what Spirent thinks it has on the interface facing the Juniper device).

Examples of generated packets:

  • OSPFv3 IPSEC Encrypted Packets
  • BGP Open Packet
  • BGP IPv6 Open Packet
  • IPSEC ESP Packet
  • BGP Update Packet
  • ICMP Echo Request
  • BFD echo

Continue reading

This article means to show a simple way to create custom Firewall Tags for the new Contrail Security concept, apply them to an element (Virtual Network or Virtual Machine Interface == Neutron Port), create a Firewall rule that uses them, attach that rule to a Firewall Policy.

A few theoretical steps:

  • create custom tag + value
  • attach custom tag + value to port (VMI/Neutron Port)
  • read default policy management ID
  • create firewall rule attached to parent = default policy management ID
  • update firewall policy with the previously created firewall rule

This assumes that later we will map (not present in this article) the firewall policy to the Default Application Policy. To eliminate a bit the confusion, Juniper’s Contrail Security has the following structure:

  • Application policy
    • Default Application Policy = applies everywhere -> we map here 1 or More Firewall Policies
    • Custom Application Policy = applies mentioned Firewall Policies just to the elements (VNs/VMIs/Project/etc) where we put the matching application tags
  • Firewall policy List of firewall rules that apply.
  • Firewall rules

Continue reading


If any of you have played around with the Offensive Security certifications, then for sure you have discovered that they are quite creative and that the people administering them want to make you think by yourself with as little help as possible.
One of their courses, CTP (Cracking the Perimeter), even requires you to hack into a website, retrieve a code, decipher how to get a secret key and only then can you proceed with the registration which checks that you managed to fetch these values.
Without giving a way the challenge, I can only say that working with GDB is needed for the final tests and that I, being lazy, installed a plugin for it called GEF so that I could trace what happens with the registers and have the information visually displayed all the time.

Continue reading

Author's picture

Mihai Tanasescu

All Rounder and Jack of all trades (master of none? :) ).
Sailing the Cloud world with my fantastic team@Aviatrix, former Network, Systems Engineer (Cisco, Juniper, Linux, Openshift, Openstack).
A flavor of Security added to the mix (Offensive Security OSCE).
If there’s anything new and cool, then I like to learn about it. I’m also a fan of deep diving under the hood of a product to see what makes it tick as well as what breaks it.

Solutions Architect @ Aviatrix