Junos OS 13.3R5

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 13.3R5 for the EX Series.

• Hardware
• Infrastructure
• Multicast
• Network Management and Monitoring
• OpenFlow

Hardware

• Extended cable manager for EX9214 switches—An extended cable manager is now available for EX9214 switches. The extended cable manager enables you to route cables away from the front of the line cards and Switch Fabric modules and provides easier access to the switch than the standard cable manager. To obtain the extended cable manager, order the MX960 Enhanced Cable Manager, ECM-MX960. (Note that installation of the extended cable manager must be done by a Juniper-authorized technician and that the service cost is in addition to the component cost.) 

Infrastructure

• Support for IPv6 for TACACS+ authentication (EX9200)—Starting with Release 13.3, Junos OS supports IPv6 along with the existing IPv4 support for user authentication using TACACS+ servers.

Multicast

• MLD snooping on EX9200 switches—EX9200 switches support Multicast Listener Discovery (MLD) snooping. MLD snooping constrains the flooding of IPv6 multicast traffic on VLANs on a switch. When MLD snooping is enabled on a VLAN, the switch examines MLD messages between hosts and multicast routers and learns which hosts are interested in receiving traffic for a multicast group. Based on what it learns, the switch then forwards multicast traffic only to those interfaces in the VLAN that are connected to interested receivers instead of flooding the traffic to all interfaces. You configure MLD snooping at either the [edit protocols] hierarchy level or the [edit routing-instances routing-instance-name protocols] hierarchy level. 

Network Management and Monitoring

• sFlow technology on EX9200 switches—EX9200 switches support sFlow technology, a monitoring technology for high-speed switched or routed networks. The sFlow monitoring technology randomly samples network packets and sends the samples to a monitoring station. You can configure sFlow technology on an EX9200 switch to continuously monitor traffic at wire speed on all interfaces simultaneously. The sFlow technology is configured at the [edit protocols sflow] hierarchy level. 

OpenFlow

Support for OpenFlow v1.0—Starting with Junos OS Release 13.3, EX9200 switches support OpenFlow v1.0. You use the OpenFlow remote controller to control traffic in an existing network by adding, deleting, and modifying flows on switches. You can configure one OpenFlow virtual switch and one active OpenFlow controller at the [edit protocols openflow] hierarchy level on each device running Junos OS that supports OpenFlow

Network Time Protocol Vulnerabilities

OVERVIEW

Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.
Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.

IMPACT

Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

The NTP is described in RFC 958a, an open source collaboration for acceptance and is used to synchronize system time over a network.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

INSUFFICIENT ENTROPYb

If the authentication key is not set in the configuration file, ntpd will generate a weak random key with insufficient entropy.

This vulnerability was resolved with NTP-dev4.2.7p11 on January 28, 2010.

CVE-2014-9293c has been assigned by CERT/CC to this vulnerability. A CVSS v2 base score of 7.3 has been assigned by CERT/CC; the CVSS vector string is (AV:N/AC:L/Au:M/C:P/I:P/A:C).d

USE OF CRYPTOGRAPHICALLY WEAK PRNGe

Prior to NTP-4.2.7p230 ntp-keygen used a weak seed to prepare a random number generator. The random numbers produced were then used to generate symmetric keys.
This vulnerability was resolved with NTP-dev4.2.7p230 on November 1, 2010.
CVE-2014-9294f has been assigned by CERT/CC to this vulnerability. A CVSS v2 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:M/C:P/I:P/A:C).g

STACK-BASED BUFFER OVERFLOWSh

A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. All NTP4 releases before 4.2.8 are vulnerable.
This vulnerability is resolved with NTP-stable4.2.8 on December 19, 2014.
CVE-2014-9295i has been assigned by CERT/CC to this vulnerability. A CVSS v2 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:P).j

MISSING RETURN ON ERRORk

In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop. This indicated a specific rare error occurred, which does not appear to affect system integrity. All NTP Version 4 releases before Version 4.2.8 are vulnerable.
This vulnerability is resolved with NTP-stable4.2.8 on December 19, 2014.
CVE-2014-9296l has been assigned by CERT/CC to this vulnerability. A CVSS v2 base score of 5.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:P).m

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

Exploits that target these vulnerabilities are publicly available.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

All NTP Version 4 releases, prior to Version 4.2.8, are vulnerable and need to be updated to Version 4.2.8.
ICS-CERT strongly encourages CIKR users to backup current operational ICS configurations, and thoroughly test the updated software for system compatibility on a test system before attempting deployment on operational systems.
CERT/CC has published a Vulnerability Note at the following URL:
http://www.kb.cert.org/vuls/id/852879
The latest NTP releases can be accessed at:
http://support.ntp.org/bin/view/Main/SoftwareDownloads.
ICS-CERT would like to thank NTP for coordinating with the Google Security Team Researchers.
ICS-CERT also encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

vCenter Server Appliance 5.5 vs vCenter Server 5.5

vCenter Server Appliance 5.5 vs vCenter Server 5.5 on Windows

vCenter Server Appliance 5.5 is reducing the dependency of Windows operating system for vCenter server Install. With VCSA 5.5 on Embedded database can manage 100 hosts and 3000 Virtual Machines. vCSA reduces lot of administrative efforts by reducing efforts needed for windows patching, software update and management of Guest OS on windows operating system. It is necessary to understand the difference between the vCenter Server Appliance 5.5 and vCenter server 5.5 installed on windows Server. This post will explain you the detailed difference between the 2 items.

Feature	vCenter Server Appliance 5.5	vCenter Server 5.5 on Windows
Can be Deployed	Only as a Virtual Machine	Can be installed on Physical or Virtual windows Machine
Operating System	Preconfigured Linux-based virtual machine	vCenter 5.5 requires 64 Bit OS and 64 bit DSN: Windows Server 2012 (64 bit) Windows Server 2008 Sp2 (64 bit) Windows Server 2008 R2 Sp1 (64 bit) Windows Server 2008 R2 (64 bit)
Database	PostgreSQL for the embedded database Supports Oracle Database	SQL Server 2005 (SP4) (Standard\Enterprise) (32-bit & 64-bit)SQL Server 2008 (R2 SP2, R2 SP1) (Express\standard\Enterprise\Datacenter) (32-bit & 64-bit) SQL Server 2012 (SP1) (Enterprise\Standard) (32-bit & 64-bit) Oracle 11 G Release 2 (Enterprise\Standard) & Oracle 11G ONE edition (32-bit & 64-bit)
Installation Method	Deployed as a Virtual Machine using OVF or OVA template	Need to install on top of Windows Operating System.
Hosts Per vCenter	100 Hosts with embedded vPostgres database 1000 Hosts with Oracle Database	1000 hosts per vCenter Server
Virtual Machines Per vCenter	3,000 VM’s with embedded vPostgres database 10,000 VM’s with Oracle Database	10,000 VM’s per vCenter Server
vCenter Linked Mode	Not Supported	Supported with Windows Install
vCenter Server Heartbeat	Not Supported	vCenter heartbeat is a windows application. It works with Windows install vCenter server
VMware Update Manager	You can’t install VUM on VCSA. Update Manager can be installed on separate windows machine to use with VCSA	Supported with Windows Install
AutoDeploy	Autodeploy is bundled with VCSA	Should be installed as an additional package. Installation files are located in vCenter Installation DVD
Syslog Collector	Syslog collector is installed by default	Should be installed as an additional package. Installation files are located in vCenter Installation DVD
ESXi Dump Collector Service	ESXi Dump Collector Service is installed by default	Should be installed as an additional package. Installation files are located in vCenter Installation DVD
vSphere Web Client	Pre-Installed with VCSA	Should be installed as an additional package. Installation files are located in vCenter Installation DVD
PowerCLI	Cannot be installed on vCSA	Can be installed on Windows vCenter Server machine
IPV6 support	IPv6 is not supported. Only supports IPV4	Both  IPv4 and IPv6 are supported

Release for CentOS Linux Rolling media

CentOS Linux rolling builds are point in time snapshot media rebuild
from original release time, to include all updates pushed to
mirror.centos.org's repositories. This includes all security, bugfix,
enhancement and general updates for CentOS Linux. Machines installed
from this media will have all these updates pre-included and will look
no different when compared with machines installed with older media
that have been yum updated to the same point in time. All rpm/yum
repos remain on mirror.centos.org with no changes in either layout or
content. 

We will aim to update and issue for release a new set of these files
at the end of every month going forward. Each released filename
includes a datestamp and a buildtag to indicate the content included.
Files marked as 20141129_02 indicate that it includes all content
released to mirror.centos.org upto ( and including ) the 29th of Nov
2014 and is the second build of that cycle. While all build's are made
public at buildlogs.centos.org/, only those that pass our QA and
testing cycles will be marked as released, to be included in
buildlogs.centos.org/rolling/. We will also do interim builds as
needed ( for development and testing purposes ) at different points in
time, those builds will not be marked for general release, but will
still be avilable publicly.

Since there is a need to test these images, the release will always
lag few days behind the datestamp ( and therefore content included )
in the release. My aim is to automate as much of this as possible
going forward to reduce this time lag as much as possible, however we
might not be able to remove it completely.

With every cycle, we hope to increase the content made available in
this rolling format. Immediate next steps include bringing the CentOS
Linux 7 livemedia into the rolling releases followed by CentOS Linux 6
content from the next ( December 2014 ) cycle.

Due to the way the installer works in CentOS-5, and its point in time
we have no plans on including CentOS-5 in this cycle at this point.

For the sake of uniformity and communication, the release media will
be referenced by the month it reflects, not the month it was released
in. Making this release the Nov 2014 Rolling release.

Other content formats like containers and vendor specific images will
aim to start with the same cycle as the main CentOS Linux media, but
might move to a more frequent build and release cycle if needed.
Special Interest Groups ( http://wiki.centos.org/SpecialInterestGroup
) wanting to do media and installer releases should also consider
using the rolling timelines to sync with.

CentOS Linux distro installer media:

File: CentOS-7-x86_64-DVD-20141129_02.iso
Sha256sum:
85a46c62b5bfc701678bef7854bb73af4ccfb840dfcbfb2f9b2189e08fe9438c

File: CentOS-7-x86_64-Everything-20141129_02.iso
Sha256sum:
f9fdd8b12c9529a1e3bf7628ebee964b2aeb9fd66540de7b369e0fde6f7a4236

File: CentOS-7-x86_64-Minimal-20141129_02.iso
Sha256sum:
e1338d13178f1c66c17386b7ced0b1459c677ff9a1cf095ac4db377234cc03fa

Symlinks are provided that will always map to the latest released
builds, as follows ( including their current mapping )
http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-DVD.iso
- -> CentOS-7-x86_64-DVD-20141129_02.iso
http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-Everything.iso
- -> CentOS-7-x86_64-Everything-20141129_02.iso
http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-Minimal.iso
- -> CentOS-7-x86_64-Minimal-20141129_02.iso

These symlinks will be updated to point at the latest tested and
released media and make for a good target in automation that requires
CentOS Linux media.

Cloud and Instance Images:

The CentOS Linux 7 GenericCloud image is built to include cloud-init
from the Extras/ repository. The image is made available in multiple
formats, with identical content. The cloud images are released via
http://cloud.centos.org/centos/7/images/

File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2
Desc: is the reference image.
Size: 944 MB
Sha256Sum:
7710ffdd497cf00fc72c22a3fa7cc7adb3424d3542521ca8fbe19eba9ded403f

File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2c
Desc: This is the same image, run through the qemu qcow2 internal
compression setup - while this image is suiteable for development and
play, it comes with non trivial i/o performance penalties and
therefore not recommended for production.
Size: 399MB
Sha256Sum:
db42e4fb9565e75f0acbe6b54a5b8822f3f1e9783fb1a553e1552c72ceaff8df

File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2.xz
Desc:  This is the regular qcow2 file, run through the xz compression
tool. This gives a regular qcow2 file, suiteable for production use.
Size: 266MB
Sha256Sum:
9b0b38c48a24164c15c33625972b87835501b6994c3ee894f6b79ce40e7d5e54

File: CentOS-7-x86_64-GenericCloud-20141129_01.raw
Desc: This is a raw format file for systems that dont consume qcow2
image types. Its also suiteable to use with "qemu-img convert" to
render into different formats.
Size: 8GB.
Sha256Sum:
2e643310bdb3cda775905408dbfe378a5eed04e91db193165178afc5ed5492b8


Symlinks are provided that will always map to the latest released
builds, as follows ( including their current mapping )
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2
- -> CentOS-7-x86_64-GenericCloud-20141129_01.qcow2
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2c
- -> CentOS-7-x86_64-GenericCloud-20141129_01.qcow2c
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2.xz
- -> CentOS-7-x86_64-GenericCloud-20141129_01.qcow2.xz
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.raw
- -> CentOS-7-x86_64-GenericCloud-20141129_01.raw

These symlinks will be updated to point at the latest tested and
released media and make for a good target in automation that requires
CentOS Linux media.
 

Leader

As a leader, you hold a great responsibility. You are the architect of the plan that will take your people to a better place, not just in terms of the achievement of common goals, but also in terms of the fulfillment of their basic, as well as their more complex needs as human beings.

Regardless of whether you lead a small or a large organization, for-profit or non-for-profit, a religious community or a sports club, as a leader you are ultimately responsible for certain decisions affecting other people´s lives.

People do not mess around with their livelihoods, therefore human beings only follow those who care about their needs.

Your ability to visualize joint goals, alongside your capacity to satisfy common human needs, becomes instrumental for good leadership.

But while leading people in general is always a difficult task, leading leaders is certainly a much more complex challenge.

The complexity in leading leaders resides in the fact that the needs of those who have already reached a leadership role are not necessarily related to the basic needs of the "general public", such as financial stability, protection against unexpected adversities and sense of belonging.

People holding leadership roles expect those above them to understand their "more complex" needs. Leader's needs have more to do with status, contribution and self-actualization, than with mere monetary compensation per se.

We all have seen examples of organizations promoting super-achievers at mid management level, to senior leadership roles.

The problem with this type of policy is that in most cases the super-achiever does not understand what it takes to manage other leaders effectively.

Super-achievers tend to struggle when promoted to C-level roles due to a variety of reasons, including:

• Selfishness.
• Inability to delegate.
• Incapability to empathize.
• Result-centeredness.

Working at C-level is radically different to managing a team of doers or being a super-star.

As a senior leader you will need to gain the aid and support of other leaders in order to be able to materialize common strategic goals. Otherwise you take the risk of being sabotaged very quickly.

In this article, I will recap on what attitudes and behaviors you must nurture in order to be able to lead a team of leaders.

# 1. Empower Your Team:

Once you are in a C-level role, you should no longer tell your people what to do or how to do it. You are leading leaders, so they know perfectly well the what´s and how´s.

Telling other leaders what to do or how to do it is a clear sign of your lack of confidence in their ability to lead their teams.

People in leadership roles like to feel empowered. They need to feel that those above them have full confidence in their ability to make the most out of the resources avilable to them.

# 2. Be Humble:

Ask your team about their opinion and incentivize open debate. Don´t impose your thoughts. Promote discussion and challenge status quo, so you give other leaders the opportunity to express their ideas too.

Humble leaders understand and apply a balance of being strong, yet gentle. They are opened to constructive criticism and innovative ideas.

Other leaders need to feel that their opinion matters and most importantly, that they are no longer compensated for what they “do”, but for their strategic contributions.

# 3. Be Coherent:

Your behavior will be permanently under scrutiny. Other leaders will incessantly judge your actions as most likely their ultimate goal is occupy your chair and that´s fine, succession plans are a key part of every organizational strategy.

It is critical that your actions are consistent with your words. Never ask other leaders to do what you cannot or you would not do yourself.

Don´t abuse your position of authority and always apply a rational judgment behind all your actions.

# 4. Be Generous:

If you are in a C-level role, make sure you share the spotlight with other leaders who may benefit from additional visibility and exposure. Give them the opportunity to shine when the right occasion arises.

Self-actualized individuals are concerned with solving problems, including helping others and finding solutions to problems in the external world. These people are often motivated by a sense of personal responsibility and ethics.

Admirable leaders come across as very personable and generous human beings; they express their self-confidence through inclusiveness and generosity.

If you don´t allow other leaders to exploit their intellectual talent and reward them for their contributions, you may soon see them break away.

Self-actualization, creativity and status are all key motivational drivers for people in leading roles. As a leader of leaders your primary responsability is to fulfill those needs.

Remember that you do not need to be the one calling all the shots anymore, that´s why you lead a team of leaders now!

Hardware discontinuation / immediate End of Life SRX210H-P-MGW, SRX220H-P-MGW, SRX240H-P-MGW, SRX-MP-VA04, SRX-MP-VA04, SRX-MP-VA22

Product Affected:

 

SRX210H-P-MGW, SRX220H-P-MGW, SRX240H-P-MGW, SRX-MP-VA04, SRX-MP-VA04, SRX-MP-VA22

 
Alert Description:

 

The Integrated Convergence Services (ICS) solution consisting of the Branch SRX Media Gateway products SRX210H-P-MGW, SRX220H-P-MGW SRX240H-P-MGW, SRX-MP-VA04, SRX-MP-VA04, SRX-MP-VA22 is being discontinued immediately, and removed as a supported product. These products were in early access, but not launched. Juniper Networks will be contacting customers with these products in order to replace them with similar SRX products that do not contain the ICS and Media Gateway functionality. This will be handled as an "Exchange RMA." Customers are asked to call in and identify their call is in reference to the "SRX Media Gateway Exchange Program".

Once the exchange RMA is taken, the replacement device(s) will be shipped to the customer. The replacement hardware will be registered and the remaining term of the support contract will be transferred to the new hardware. Shipping labels will be sent to the customer with the replacement device, one for each device in the exchange to be returned to Juniper. The customer will use the box received from the replacement device to return the SRX-MGW device(s).

Update 11/12/14:

All products listed above have reached EOL and no further exchanges or RMA's will be fulfilled.

Enable EPEL repository in CentOS & RHEL

EPEL stands for ‘Extra Packages for Enterprise Linux‘ , as the name suggest epel provides additional rpm packages for RHEL , CentOS , Scientific Linux (SL) & Oracle Enterprise Linux (OLE) . EPEL is created and maintained by Fedora community and EPEL packages are 100% free/libre open source software (FLOSS).
In this post we will discuss how to enable epel repository in CentOS / RHEL 5.X / 6.X / 7.X

For CentOS 5.X / RHEL 5.X

Open the terminal & become the root user and execute below command :
For 32 bit OS

# rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

For 64 bit OS

# rpm -Uvh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

For CentOS 6.X / RHEL 6.X

Open the terminal execute below command as a root user.
For 32 bit OS

# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

For 64 bit OS

# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

For CentOS 7.X / RHEL 7.X

Open the terminal execute below command as a root user
For 64 bit OS

# rpm -Uvh http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm

Note : EPEL repository file is located under ‘/etc/yum.repos.d/epel.repo’

List New Repository

[root@localhost ~]# yum repolist 
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.nbrc.ac.in
 * epel: ftp.jaist.ac.jp
 * extras: mirror.nbrc.ac.in
 * updates: mirror.nbrc.ac.in
repo id            repo name                                                 status
base/7/x86_64      CentOS-7 - Base                                           8,465
epel/x86_64        Extra Packages for Enterprise Linux 7 - x86_64            6,349
extras/7/x86_64    CentOS-7 - Extras                                         75
updates/7/x86_64   CentOS-7 - Updates                                        1,127
repolist: 16,016

List EPEL Packages :

[root@localhost ~]# yum --disablerepo="*" --enablerepo="epel" list available