Friday 9 March 2012

Netscreen SSG140 dual factor VPN with Yubikey

For a while I have been meaning to type up a guide to setting up dual factor VPN's on Netscreen SSG firewalls.  It took me a while to figure it all out, referring to lots of online sources so hopefully this will be useful to someone.  I have a Juniper Netscreen SSG 140 firewall which various users are logging into, getting access to different systems based on their permissions.  I used the excellent and cheap Yubikey from Yubico to get the second factor working. Feel free to post any queries or suggestions, I'll try to answer any I can but I'm far from an expert.

Thursday 19 January 2012

IPv6 - Time to get the ball rolling?

About a year ago I started seriously looking into IPv6 and managed to get all the way to "Guru" status on the Hurricane Electric certification program. However I lost momentum because then I was stuck. Our main providers did not support IPv6 (BTNet, 123-reg, Rackspace being the main ones) so I could not get direct IPv6 connectivity for any of our systems. Using a tunnel would have worked but did not seem right for productions systems.

However after hearing about the world IPv6 launch day being planned for 6th June this year I've had another look and things are looking a lot more workable. Good news since RIPE is due to run out of IP address blocks for Europe in about 164 days.

Rackspace are supporting IPv6 on most of their services if you put in a request.

BT plan to launch a full standardised IPv6 support in early 2012 - I have fired off an email to my account manager to see if there is any firmer dates.

123-Reg now support IPv6 AAAA records via their web based DNS management and even IPv6 glue for domains - however you need to raise a support request for DNS glue.

Given that service providers seem to actually support IPv6 now, and with at least Google, Facebook, Yahoo and Bing planning to turn IPv6 on permanently from 6th June we seem to be approaching the point where having IPv6 connectivity is both possible and usable. How long before IPv4 starts to have noticeable problems for end users is another question but since it will happen eventually I'm happy to get started as soon as possible. Its going to be a fun challenge to get my teeth into as soon as BT start assigning subnets.