How to Set Up and Deploy RSA Keys Within a PKI (Cisco IOS)

How to Set Up and Deploy RSA Keys Within a PKI

• Generating an RSA Key Pair
• Managing RSA Key Pairs and Trustpoint Certificates
• Exporting and Importing RSA Keys
• Encrypting and Locking Private Keys on a Router
• Removing RSA Key Pair Settings

Generating an RSA Key Pair

Perform this task to manually generate an RSA key pair.

SUMMARY STEPS

1.    enable 
2.    configure terminal 
3.    crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:] [ondevicename:] 
4.    exit 
5.    show crypto key mypubkey rsa 

Managing RSA Key Pairs and Trustpoint Certificates

Perform this task to configure the router to generate and store multiple RSA key pairs, associate the key pairs with a trustpoint, and get the certificates for the router from the trustpoint.

Before You Begin

You must have already generated an RSA key pair as shown in the task “Generating an RSA Key Pair task.”

SUMMARY STEPS

1.    enable 
2.    configure terminal 
3.    crypto pki trustpoint name 
4.    rsakeypair key-label [key-size [encryption-key-size]] 
5.    enrollment selfsigned 
6.    subject-alt-name name 
7.    exit 
8.    cypto pki enroll name 
9.    exit 
10.    show crypto key mypubkey rsa 

Exporting and Importing RSA Keys

This section contains the following tasks that can be used for exporting and importing RSA keys. Whether you are using PKCS12 files or PEM files, exportable RSA keys allow you to use existing RSA keys on Cisco IOS routers instead of having to generate new RSA keys if the main router were to fail.

• Exporting and Importing RSA Keys in PKCS12 Files
• Exporting and Importing RSA Keys in PEM-Formatted Files

Exporting and Importing RSA Keys in PKCS12 Files

Exporting and importing RSA key pairs enables users to transfer security credentials between devices. The key pair that is shared between two devices allows one device to immediately and transparently take over the functionality of the other router.

Before You Begin

You must generate an RSA key pair and mark it “exportable” as specified in the “Generating an RSA Key Pair” task.

Note

You cannot export RSA keys that existed on the router before your system was upgraded to Cisco IOS Release 12.2(15)T or later. You have to generate new RSA keys and label them as “exportable” after you upgrade the Cisco IOS software.  When you import a PKCS12 file that was generated by a third-party application, the PKCS12 file must include a CA certificate.  If you want reexport an RSA key pair after you have already exported the key pair and imported them to a target router, you must specify the exportable keyword when you are importing the RSA key pair.  The largest RSA key a router may import is 2048-bits. >

SUMMARY STEPS

1.    crypto pki trustpoint name 
2.    rsakeypair key-label [key-size [encryption-key-size]] 
3.    exit 
4.    crypto pki export trustpointname pkcs12 destination-url password password-phrase 
5.    crypto pki import trustpointname pkcs12 source-url password password-phrase 
6.    exit 
7.    show crypto key mypubkey rsa 

Exporting and Importing RSA Keys in PEM-Formatted Files

Perform this task to export or import RSA key pairs in PEM files.

Before You Begin

You must generate an RSA key pair and mark it “exportable” as specified the “Generating an RSA Key Pair” task.

Note	You cannot export and import RSA keys that were generated without an exportable flag before your system was upgraded to Cisco IOS Release 12.3(4)T or a later release. You have to generate new RSA keys after you upgrade the Cisco IOS software.  The largest RSA key a router may import is 2048 bits.

Note	Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.

SUMMARY STEPS

1.    crypto key generate rsa {usage-keys | general-keys} label key-label [exportable] 
2.    crypto pki export trustpoint pem {terminal | url destination-url} {3des | des} password password-phrase 
3.    crypto pki import trustpoint pem [check | exportable | usage-keys] {terminal | url source-url} passwordpassword-phrase 
4.    exit 
5.    show crypto key mypubkey rsa 

Encrypting and Locking Private Keys on a Router

Digital signatures are used to authenticate one device to another device. To use digital signatures, private information (the private key) must be stored on the device that is providing the signature. The stored private information may aid an attacker who steals the hardware device that contains the private key; for example, a thief might be able to use the stolen router to initiate a secure connection to another site by using the RSA private keys stored in the router.

Note	RSA keys are lost during password recovery operations. If you lose your password, the RSA keys will be deleted when you perform the password recovery operation. (This function prevents an attacker from performing password recovery and then using the keys.)

To protect the private RSA key from an attacker, a user can encrypt the private key that is stored in NVRAM via a passphrase. Users can also “lock” the private key, which blocks new connection attempts from a running router and protects the key in the router if the router is stolen by an attempted attacker.

Perform this task to encrypt and lock the private key that is saved to NVRAM.

Note	The RSA keys must be unlocked while enrolling the CA. The keys can be locked while authenticating the router with the CA because the private key of the router is not used during authentication.

Before You Begin

Before encrypting or locking a private key, you should perform the following tasks:

• Generate an RSA key pair as shown in the task “Generating an RSA Key Pair.”
• Optionally, you can authenticate and enroll each router with the CA server.

Note

Backward Compatibility Restriction Any image prior to Cisco IOS Release 12.3(7)T does not support encrypted keys. To prevent your router from losing all encrypted keys, ensure that only unencrypted keys are written to NVRAM before booting an image prior to Cisco IOS Release 12.3(7)T. If you must download an image prior to Cisco IOS Release 12.3(7)T, decrypt the key and immediately save the configuration so the downloaded image does not overwrite the configuration. Interaction with Applications An encrypted key is not effective after the router boots up until you manually unlock the key (via the crypto key unlock rsa command). Depending on which key pairs are encrypted, this functionality may adversely affect applications such as IP security (IPsec), SSH, and SSL; that is, management of the router over a secure channel may not be possible until the necessary key pair is unlocked. >

SUMMARY STEPS

1.    crypto key encrypt [write] rsa [name key-name] passphrase passphrase
2.    exit 
3.    show crypto key mypubkey rsa 
4.    crypto key lock rsa name key-name ] passphrase passphrase
5.    show crypto key mypubkey rsa 
6.    crypto key unlock rsa [name key-name] passphrase passphrase
7.    configure terminal 
8.    crypto key decrypt [write] rsa [namekey-name ] passphrase passphrase

Removing RSA Key Pair Settings

An RSA key pair may need to be removed for one of the following reasons:

• During manual PKI operations and maintenance, old RSA keys can be removed and replaced with new keys.
• An existing CA is replaced and the new CA requires newly generated keys; for example, the required key size might have changed in an organization so you would have to delete the old 1024-bit keys and generate new 2048-bit keys.
• T he peer router's public keys can be deleted in order to help debug signature verification problems in IKEv1 and IKEv2. Keys are cached by default with the lifetime of the certificate revocation list (CRL) associated with the trustpoint.

Perform this task to remove all RSA keys or the specified RSA key pair that has been generated by your router.

SUMMARY STEPS

1.    enable 
2.    configure terminal 
3.    crypto key zeroize rsa [key-pair-label]
4.    crypto key zeroize pubkey-chain [index]
5.    exit 
6.    show crypto key mypubkey rsa 

Configuring Cisco IOS Manual Certificate Enrollment

Configuring Manual Certificate Enrollment

Manual certificate enrollment can be set up via TFTP or the manual cut-and-paste method. Both options can be used if your CA does not support SCEP or if a network connection between the router and CA is not possible. Perform one of the following tasks to set up manual certificate enrollment:

• PEM-Formatted Files for Certificate Enrollment Request
• Restrictions for Manual Certificate Enrollment
• Configuring Cut-and-Paste Certificate Enrollment
• Configuring TFTP Certificate Enrollment
• Certifying a URL Link for Secure Communication with a Trend Micro Server

PEM-Formatted Files for Certificate Enrollment Request

Using PEM-formatted files for certificate requests can be helpful for customers who are using terminal or profile-based enrollment to request certificates from their CA server. Customers using PEM-formatted files can directly use existing certificates on their routers.

Restrictions for Manual Certificate Enrollment

SCEP Restriction

We do not recommend switching URLs if SCEP is used; that is, if the enrollment URL is “http://myca,” do not change the enrollment URL after getting the CA certificate and before enrolling the certificate. A user can switch between TFTP and manual cut-and-paste.

Key Regeneration Restriction

Do not regenerate the keys manually using the crypto key generate command; key regeneration will occur when the crypto pki enrollcommand is issued if the regenerate keyword is specified.

Configuring Cut-and-Paste Certificate Enrollment

Perform this task to configure cut-and-paste certificate enrollment. This task helps you to configure manual certificate enrollment via the cut-and-paste method for peers participating in your PKI.

SUMMARY STEPS

1.    enable 
2.    configure terminal 
3.    crypto pki trustpoint name 
4.    enrollment terminal pem 
5.    fingerprint ca-fingerprint 
6.    exit 
7.    crypto pki authenticate name 
8.    crypto pki enroll name
9.    crypto pki import name certificate
10.    exit 
11.    show crypto pki certificates 

How to detect a memory leak on Checkpoint Security Gateway SPLAT / Gaia

Background

Memory leak is an abnormal growth of memory usage, caused by either in Kernel Space or in User Space.

The memory allocated, but not freed, which will significantly impact the performance of the machine and might cause the machine to crash.

This article describes a procedure for detecting a memory leak in Kernel Space (memory leaks in User Space are detected using specical tools - e.g., valgrind - for specific process).

For 61000 Security System, refer to sk98387 (How to detect a kernel memory leak on 61000 Security System: Gateway mode).

Procedure

Note: The kernel parameters described below can be enabled (value set to 1) indefinitely without any impact - neither on security, nor on performance.

1. To enable memory leak detection, set the following kernel parameters in $FWDIR/boot/modules/fwkern.conf file per sk26202.
   
   fw_salloc_debug_leaks=1
fw_hmem_debug_leaks=1
fw_kmem_cphwd_use_fw=1
fw_kmem_detailed_leak_report=1
fw_kdprintf_limit=0
fw_kdprintf_limit_time=0
   
2. Save the changes and reboot the machine.
   
3. Verify that the values for kernel parameters were accepted:
   
   [Expert@HostName]# fw ctl get int fw_salloc_debug_leaks
[Expert@HostName]# fw ctl get int fw_hmem_debug_leaks
[Expert@HostName]# fw ctl get int fw_kmem_cphwd_use_fw
[Expert@HostName]# fw ctl get int fw_kmem_detailed_leak_report
[Expert@HostName]# fw ctl get int fw_kdprintf_limit
[Expert@HostName]# fw ctl get int fw_kdprintf_limit_time
   
4. Collect CPinfo file:
   
   [Expert@HostName]# cpinfo -z -n -o /var/log/$(uname -n)_before.cpinfo
   
5. Let the system run for at least several days - if possible, stress the machine by passing complex traffic through the gateway.
   
6. On Gaia OS: Stop RouteD daemon:
   
   [Expert@HostName]# tellpm process:routed
   
   Notes:
   • In R76 cluster, this might cause a fail-over between cluster members (starting in R76, a new Device Name / Pnote called 'routed' was introduced). Refer to sk92787.
   • If RouteD daemon is not stopped, then Check Point kernel module will not be able to unload (in Steps 8,9 and 10) because /dev/fw* devices will remain in use, which can be seen in the output of 'lsof | grep -v grep | grep -E "PID|routed" | grep -E "PID|/dev/fw"' command.
   • This step applies only to Gaia R75.40 / R75.40VS / R75.45 / R75.46 / R76.
   • This issue was fixed in R75.47
   
   
7. CRUCIAL: Collect CPinfo file right before next Step 8:
   
   [Expert@HostName]# cpinfo -z -n -o /var/log/$(uname -n)_during.cpinfo
   
8. Stop all Check Point processes and applications:
   
   [Expert@HostName]# cpstop
   
9. Stop all Check Point services:
   
   [Expert@HostName]# service cpboot stop
   
10. Unload the Check Point kernel modules:
    
    [Expert@HostName]# cpstop -fwflag -driver
    
    Note: check the output carefully - there should NOT be
    any messages telling that FireWall kernel module could not be unloaded.
    

    Example of problematic message:
    fwmod_smp.2.4.21.cp.i686: Device or resource busy
    Possible reasons that the module is still being used:
    

    • Policy installation was in progress
    • Kernel debug was running
    • Some User Space process is still using the FireWall module (fwmod)

    Possible checks:
    

    Perform the following checks and the previous step again ('service cpboot stop')
    
    
    • Stop policy installation
      
    • Stop kernel debug
      
      
      • (A)
        Check that only the error, or warning, or none, or none flags were enabled for different modules
        [Expert@FW]# fw ctl debug
        
        To default the flags run
        [Expert@FW]# fw ctl debug 0
        
      • (B)
        Check that no kernel debugs are running
        The output of the following command should be empty
        [Expert@FW]# ps auxw | grep -v 'grep' | grep 'debug'
      
      
    • Stop the User Space process that uses the FireWall module
      
      
      • (A)
        The best practice is to try stopping the Service, which runs this process via Linux 'service' command
        If no such Service exists, then go to next Step (B)
        
        Example:

        [Expert@FW]# lsof /dev/fw0
        COMMAND     PID USER   FD   TYPE DEVICE SIZE NODE NAME
        cpsnmpage  1112 root   20u   CHR  253,0      65622 /dev/fw0
        

        
        In this case, 'cpsnmpage' process is /usr/sbin/cpsnmpagentx
        
        The service, which runs this process is SNMP
        
        Try stopping the SNMP service via Linux 'service' command
        [Expert@FW]# service snmp stop
        
        If 'lsof /dev/fw0' command still shows this process, then try stopping the SNMP service via SNMP command
        [Expert@FW]# snmp service disable
        
        If 'lsof /dev/fw0' command still shows this process, then go to next Step (B)
        
      • (B)
        Kill the process that uses the FireWall module
        [Expert@HostName]# kill -KILL PID_of_Process
        
        NOTE: PID of the process appears in the output of 'lsof' command in 2nd column 'PID'
        
        If 'lsof /dev/fw0' command still shows this process, then contact Contact Check Point Support

    
    
11. Check if FireWall kernel module is still loaded:
    
    [Expert@HostName]# lsmod | grep fwmod
    
    Note: This step is relevant for R6x versions only, skip this step for R7x versions.
    
12. If FireWall kernel module is still loaded, unload it manually:
    
    [Expert@HostName]# rmmod <NAME_OF_FWMOD>
    
    Notes:
    
    • This step is relevant for R6x versions only, skip this step for R7x versions.
    • Check the output carefully - there should NOT be any messages telling that kernel module could not be unloaded.
    
    
13. CRUCIAL: Collect the memory leak information by using the following exact syntax:
    
    [Expert@HostName]# \date >> /var/log/leak.txt
[Expert@HostName]# dmesg >> /var/log/leak.txt
[Expert@HostName]# \date >> /var/log/leak.txt
    
14. Collect CPinfo file:
    
    [Expert@HostName]# cpinfo -z -n -o /var/log/$(uname -n)_after.cpinfo
    
15. Start the Check Point services:
    
    [Expert@HostName]# service cpboot start
    
16. Start Check Point processes and applications:
    
    [Expert@HostName]# cpstart
    
17. On Gaia OS: Start RouteD daemon (which was stopped in Step 6):
    
    [Expert@HostName]# tellpm process:routed t
    
18. Send the following files to Check Point Support:
    
    /var/log/leak.txt
/var/log/messag*
/var/log/<HostName>_before.cpinfo.gz
/var/log/<HostName>_during.cpinfo.gz
/var/log/<HostName>_after.cpinfo.gz
    
19. To disable memory leak detection, set the following kernel parameters in $FWDIR/boot/modules/fwkern.conf file per sk26202.
    
    fw_salloc_debug_leaks=0
fw_hmem_debug_leaks=0
fw_kmem_cphwd_use_fw=0
fw_kmem_detailed_leak_report=0
fw_kdprintf_limit=30
fw_kdprintf_limit_time=60
    
    Note: Another way to disable memory leak detection is to delete all these parameters from the$FWDIR/boot/modules/fwkern.conf file.
    
20. Save the changes in $FWDIR/boot/modules/fwkern.conf file and reboot the machine.

Free OWASP (Open Web Application Security Project) Top 10 Course

Free OWASP Top 10 Course

http://securitycompass.com/computer-based-training/free-owasp-top-10/index.html

Thank you for choosing our free OWASP Top 10 CBT for your e-learning; all of which are ready for you below. If you enjoy them, consider upgrading to our full OWASP Top 10 course with some added features. We also have additional training courses that you may be interested in:

• Exploiting and Defending Web Applications
• Mobile Hacking and Securing
• Securing Web Applications in Java
• Threat Model Express
• Securing Web Applications in .NET

Click here for detailed information about our Training or contact us at[email protected]

To claim your CPE credits, apply and enter them through your own CPE association member website. 1 hour of video content = 1 CPE

SQL Injection

View Course

Cross-site Scripting

View Course

Session Hijacking

View Course

Parameter Manipulation

View Course

Cross-site Request Forgery

View Course

Insecure Configuration

View Course

Insecure Storage

View Course

Forcible Browsing

View Course

Clear-text Communication

View Course

Unchecked Redirects

View Course

Juniper Learning Portal and Free Day One Library - PDF Download

https://learningportal.juniper.net/juniper/user_training.aspx

http://www.juniper.net/us/en/training/jnbooks/day-one/

The Day One Library is available as free PDFs by clicking the links below. You will be taken to J-Net, Juniper's User Community.

If you are not a member, you will be asked to join and provide an email address and a password (it's a Juniper community). Then, in the future, you'll receive an occasional email notifying you of new books added to the library.

LEARN ABOUT BOOKS

• Secure VPNs

JUNOS LEARNING SPHERE

• vDay One: Mastering Junos Configuration
• vDay One: Introduction to BGP Multicast VPNs

JUNOS FUNDAMENTALS

• Junos QoS for IOS Engineers
• Junos for IOS Engineers
• This Week: Hardening Junos Devices
• Configuring Junos Policies and Firewall Filters
• Deploying Basic QoS
• Junos Tips, Techniques, and Templates 2011
• Securing the Routing Engine on M, MX, and T Series
• Exploring the Junos CLI
• Configuring Junos Basics
• Monitoring and Troubleshooting

JUNOS AUTOMATION

• This Week: Junos Automation Reference for SLAX 1.0
• This Week: Mastering Junos Automation
• This Week: Applying Junos Automation
• Navigating The Junos XML Hierarchy

JUNOS DYNAMIC SERVICES

• Deploying Junos WebApp Secure
• Deploying SRX Series Services Gateways
• Configuring SRX Series with J-Web

JUNOS FABRIC AND SWITCHING TECHNOLOGIES

• Configuring EX Series Ethernet Switches, Second Edition

JUNOS NETWORKING TECHNOLOGIES

• Understanding OpenContrail Architecture
• Juniper Ambassadors' Cookbook for Enterprise
• Advanced Junos CoS Troubleshooting Cookbook
• SBR Change of Authorization (CoA) and the MX Series
• This Week: A Packet Walkthrough on the M, MX, and T Series
• Scaling Beyond a Single Juniper SRX in the Data Center
• Advanced OSPF in the Enterprise
• Dynamic Subscriber Management
• This Week: Deploying MPLS
• This Week: Deploying BGP Multicast VPNs, Second Edition
• Advanced IPv6 Configuration
• Exploring IPv6
• Migrating EIGRP to OSPF

JUNIPER VALIDATED SOLUTIONS

• Integrated Content Delivery Handbook

JUNIPER WIRELESS

• Day One: Deploying a Secure Wireless LAN

JUNIPER MOBILE INFRASTRUCTURE

• Day One: Configuring the MobileNext Broadband Gateway

华尔街的贪欲恰如毒瘾 人们像疯子一样工作

　　在华尔街的最后一年，我的奖金是360万美元（约合2100万元人民币）——我相当气愤，因为这实在不够多。我30岁，没有孩子要抚养，没有债要还，没想过做慈善。我想要更多的钱，这就和一个酒鬼还想再来一杯的理由如出一辙，那就是我上瘾了。

早在八年前，我就步入瑞士信贷第一波士顿银行（Credit Suisse First Boston，简称CSFB），开始了我的暑期实习生涯。我知道自己想要变得富有，然而，当我开始为此努力时，我对财富的意义有了不一样的理解。我是在读了《说谎者的扑克牌》(Liar’s Poker)这本书后来到华尔街的，书中描述了迈克尔·刘易斯(Michael Lewis)是如何仅仅凭借交易大厅里的两年打拼，就挣得了22.5万美元的奖金。这看起来是一大笔钱。每年的1月和2月，我都会想起那段日子，因为这是决定和分发奖金的日子，是挣大钱的日子。

我从父亲那里了解到了成为富人的重要性。他是当代的威利·罗曼(Willy Loman)，是一名有着远大梦想却似乎从未将其变为现实的销售员。他说，“想想当我赚到100万美元时，生活会是什么样儿。”他梦想着能卖电影剧本，可是现实里，他在卖橱柜。而且生意不怎么样。我们不时要靠母亲做执业护理师的收入勉强度日。

父亲相信，钱能解决他所有的问题。22岁时，我也这么认为了。当我第一次走进交易大厅，看着闪闪发亮的平板电视、高科技的电脑显示器和布满拨号键和各式按钮、看上去就像战斗机驾驶舱的那种电话时，我就知道，我这辈子究竟想要做什么了。那场景就好像交易员正在太空船里玩电子游戏；如果你能赢得这场游戏，你就会变成我最渴望变成的人——富人。

我能进入华尔街完全就是个奇迹。当我还是哥伦比亚大学(Columbia University)的摔跤运动员时，就争强好胜、野心勃勃，我每天都喝酒、吸大麻，还定期吸食可卡因、利他林和摇头丸。我有自毁倾向，这导致了我因为盗窃被哥伦比亚大学暂停了学业，我还因为和人打架被捕过两次，因为同样理由被一家互联网公司给开除过。我从父亲那里了解了愤怒。我依然能回想起他冲向我时，那张通红、扭曲的脸。我在简历里抹去了自己的过失，靠谎言获得了CSFB的实习职位，我下定决心，不能错失这个似乎是我最后一次机会的机会。唯一一件和实习职位同等重要的大事是我的女友，她是哥伦比亚大学排球队的新人。不过，即使在和她恋爱时，假如喝醉了，有时我也会和别的女人搞在一起。

我实习开始三周后，她明智地甩了我。她说，我不喜欢你变成这个样子。我无法埋怨她，可是我悲痛欲绝，都没法起床了。在绝望之中，我给一位之前曾不情愿地见过数面的辅导员打了电话，向她求助。

她使我明白了，我在利用酒精和毒品来削弱我孩提时的无力感，她建议我放弃这些东西。我由此开始了一生中最难熬的一段日子。由于生活里没了酒精和毒品，我感觉就像自己的胸膛被剖开了，心都被暴露在外。辅导员说，我滥用毒品和酒精，这只是一个深层问题的表象——她说这是一种“精神痼疾”。CSFB没给我提供全职工作，我心烦意乱地回到了哥伦比亚大学，继续最后一年的学业。

毕业后，我给美国银行(Bank of America)的一名执行董事连续不断地连打了三周的电话，蒙他开恩，给了我这个毛头小子一个机会，我在那里谋得了一份工作。经过一年的冷静沉淀，我变得头脑清晰、目光敏锐、工作卖力。第一年工作结束时，我激动地收到了4万美元的奖金。生平第一次，我不需要在取钱之前查自己的余额。不过一周后，一名只比我入行早四年的交易员被CSFB挖走时，拿到了90万美元。这笔钱相当于我奖金的22倍，一开始，我是既妒忌又惊讶，然而一想到这个行业能挣这么多的钱，我就变得兴奋不已。

接下来的几年里，我像疯子一样地工作，开始在华尔街的梯队里青云直上。我成了一名债券和信用违约掉期交易员，这是业内最挣钱的职位之一。我在美国银行工作了仅仅四年后，花旗银行(Citibank)给我提供了“1.75X2”的职位，意思是我将在两年里获得每年175万美元的酬劳，我靠着这个升了职。我开始和一名美丽的金发美女约会，在邦德街租了一间带阁楼的公寓，月租金为6000美元。



我感觉自己太了不起了。在25岁的年纪，我只要抓起电话，跟我的经纪人之一打个招呼，就可以去曼哈顿的任何一家餐厅——比如Per Se和Le Bernardin——就餐，这些经纪人用不封顶的娱乐款项来讨好交易员。我只需向经纪人暗示一下，自己或许对尼克斯队(Knicks)对湖人队(Lakers)的比赛感兴趣，就能坐在现场的第二排。其中的满足感不仅和钱有关，还和权力有关。因为我如此聪明、如此成功，所以，理应由别人来讨我开心。

然而，我依然受到妒忌的困扰。在交易台前，从实习生到执行董事的所有人都坐在一起。当你旁边的人挣了1000万美元，100万或者200万美元看起来就不那么诱人了。尽管如此，我还是对自己的进步感到兴奋。

我的辅导员没有分享我的喜悦。她说，我也许在用金钱使自己感到强大，就像我用毒品和酒精这么做一样，还说也许精力集中在医治我的内伤，而不是积攒更多的钱上，也许会对我有益。“内伤”？我想这个说法也许有点扯远了，于是我到一家对冲基金公司上班去了。

现在，我和亿万富翁一起并肩共事，我成了一个精力充沛、贪婪无比的家伙。我会琢磨，假使我的同事愿意的话，他们会如何买下密克罗尼西亚，或者成为纽约市的市长。他们不仅是有钱而已；他们还有权——那是超出在Le Bernardin订到一张桌子的权力。参议员们会到这些富翁的办公室去。他们是皇族。

我想挣到10亿美元。仅仅过了五年我就会这么想，这是让人惊讶的。从拿到第一笔4万美元奖金时的兴奋，已经到了我在对冲基金工作第二年时“仅仅”拿到150万美元时的失望了。

不过最终，其实是我那些富得离谱的老板们，帮我看到了无尽财富的局限。我当时正在和他们中的一人及其他几名交易员开会，他们在谈论新的对冲基金规定。几乎华尔街的每个人都认为这是一个糟糕的主意。我问道，“可是总的来说，它对这个系统更有好处，不是吗？”整个房间都安静下来，我的老板严厉地白了我一眼。我记得他说，“我的脑力不足以让我从整体层面思考这个系统。我关心的只是，新规则会怎样影响我们的公司。”

我的感觉就像是肚子上挨了一拳。他已经那么有钱，还在担心自己损失钱财。

从那一刻起，我开始以新的眼光看待华尔街。我注意到了金融危机之后，交易员因为政府限制奖金发放，对政府进行了尖酸的批评。每当提到加税，我能从他们的语调里听出愤懑之情。这些交易员对威胁他们奖金的任何事或任何人都不假辞色。你有没有见过吸毒者毒品用尽时的样子？他会用尽一切手段——比如冒雪走上20英里，抢老奶奶的钱——就为了能来上一针。华尔街就和吸毒者的情况一样。在发放奖金前的几个月里，交易大厅开始让人感觉就像《火线》(The Wire)里没有了海洛因的街区一样。

我总是满怀妒忌地看着那些比我赚得多的人；现在，我第一次为他们、为我自己感到羞愧。我一年挣的钱比我母亲一辈子挣的钱还多。我知道这不公平；这不对。是的，我思维敏捷、长于计算。我有市场欢迎的那种才华。然而，到了最后，我并未真正地干过任何事。我是一名衍生产品交易员，对我来说，如果信用衍生品不复存在，这个世界几乎不会有任何变化。跟执业护理师差远了。以前觉得很平常的事情，现在看来是极为扭曲的。

我最近拜读了泰勒·布兰奇(Taylor Branch)写牧师小马丁·路德·金博士(Rev. Dr. Martin Luther King Jr.)和民权运动的三卷本著作，“自由乘车者”(Freedom Riders)从大巴上下来，走进愤怒的暴民中的场景，深深地印入了我了脑海。我对自己说，如果我活在上世纪60年代，我也会在那辆车上。

但我其实是在骗自己。世上的不平事有的是——极端贫困、监狱人口膨胀、性侵事件泛滥、肥胖危机。我不仅没在帮助解决这其中的任何问题，而且还在从中牟利。2008年市场崩盘时，通过卖空高风险公司的衍生品，我赚了一大笔钱。全世界都在破产，我却在赚钱。我眼看着危机一步步逼近，却没有帮助可能受到最大打击的人们——那些银行账户里没有100万美元的人——我还利用危机赚钱。我女朋友几年前对我说，我不喜欢现在的你。她说对了，她一直都是对的。只不过现在，我也不喜欢那时的我了。

已故的社会学家、剧作家菲利普·斯莱特(Philip Slater)在1980年的一本书中描述了对财富上瘾的症状，但是上瘾的研究者们很少关注这个概念。就像醉酒驾车的嗜酒者一样，财瘾患者对所有人都是一种危害。与其他人相比，财瘾患者尤其应该为目前出现的裂痕负责。这种裂痕正不断扩大，让我们曾经伟大的国家陷入分裂。对于富人和穷人之间的巨大而有害的鸿沟，以及中产阶级的毁灭，财瘾者也应该负责。只有对财富上瘾的人才会觉得1400万美元的工资合情合理——包括850万美元的奖金——这是麦当劳的首席执行官唐·汤普森(Don Thompson)在2012年拿到的数目，当时他的公司为员工印制了一本手册，告诉他们如何靠低工资生存下去。只有对财富上瘾的对冲基金经理才会怀揣数亿美元的收入，然后为了让一个税法漏洞继续存在而到处游说，因为这个漏洞让他需要缴纳的税率低于他的秘书。

尽管经历了彻悟，但离开这一切仍非易事。一想到钱越花越少，还有要放弃未来的奖金，我就感到害怕。我最害怕的是，五到10年之后，我会因为放弃了一个成为真正的重要人物的机会而懊悔不已。人们都觉得离开的想法是发疯，这愈发让我难以下定决心。2010年，我已经逐渐减轻的财瘾最后发作了一次，我要求获得800万美元的奖金，而不是360万美元。我的老板说，如果我再留下来工作几年，他们会提高我的奖金。但我还是离开了。

第一年真的很难。我只能用“戒断反应”来形容我的经历——我会半夜惊醒，对缺钱感到恐慌；为了看看哪个前同事升职了，我到处搜索新闻。但慢慢地，情况开始好转——我开始意识到，我的钱已经够用了，如果我需要赚更多钱，我也有这个能力。但是我的财瘾并没有完全消失。有时我还是会买彩票。

?在我辞职后的三年里，我结了婚，在监狱和青少年拘留中心进行过戒酒戒毒的演讲，给领养系统里的女孩子们开设了写作课，启动了一个叫做Groceryships的非营利项目，帮助为肥胖症和贪食症所折磨的穷人家庭。我比以前快乐多了。我感到自己好像真正做出了贡献。随着时间的流逝，扭曲感减轻了。我看到了华尔街念的那本经——我们比其他人聪明、勤奋，所以这些钱是我们应得的——背后的真相：对上瘾者的合理化。距离让我明白了我当时体会不到的东西——华尔街是一种有毒的文化，助长了那些不顾一切地想要感到强大的人的自大感。

我是幸运的。吸毒和酗酒的经验让我意识到，自己对财富的追求是一种上瘾。我和咨询师几年来的共同努力，帮助治愈了总是感到受伤和力不从心的那部分自我，所以才有了辞职所需的足够的核心自我意识。

有几十种不同类型的12步互助小组——包括匿名戒除杂乱协会(Clutterers Anonymous)和匿名戒除网瘾协会(On-Line Gamers Anonymous)——正在帮助各种类型的成瘾者，然而目前仍然没有匿名财富成瘾者协会。为什么呢？因为我们的文化鼓励、甚至是赞赏这种瘾。看看任何一个报摊上的杂志封面吧，都是名人和CEO们的醒目头像，超级富豪在我们的文化中是神一般的存在。我希望，我们都能正视这个事实：财瘾之所以能对我们国家产生如此大影响，我们每个人都有责任。

总的来说，我认为，如果一个人很富有，而且认为自己拥有的钱已经“足够了”，此人就不是财瘾患者。在华尔街，根据我的经验，这种“够了”的感觉很少见。一个人整天抱怨自己的工作，但是为了给2000万美元的银行账户中再添200万，他又工作了一年，这就叫上瘾。

我最近收到了一名对冲基金交易员的邮件。他说，尽管每年赚几百万美元，他还是感到压抑和空虚，但却无法鼓足勇气离职。我相信，还有许多这样的人。也许我们可以组成一个团体，共同面对我们的瘾。如果你认同我的文章，但又不愿辞职，那么，至少往正确的方向上迈出一小步吧。让我们建立一家基金，人人都把年终奖的25%之类的放进去，我们就可以利用这笔钱，帮助一些真正需要我们狂热追逐的这些钱的人们。团结起来，我们说不定可以为世界做点真正的贡献。

作者山姆·波尔克(Sam Polk)是前对冲基金交易员，也是非营利组织Groceryships的创始人。

(David)

Check Point: A Leader in the Mobile Data Protection Magic Quadrant for 7 Years in a Row

Gartner has positioned Check Point in the Leaders quadrant in the Magic Quadrant for Mobile Data Protection¹. Gartner evaluates each company's Mobile Data Protection (MDP) offerings on a scale of completeness of vision and ability to execute. According to Gartner research, "MDP systems and procedures are needed to protect business data privacy, meet regulatory and contractual requirements, and comply with audits."

Authenticate the management users from Radius server, reachable via a routing-instance

[SRX] Authenticate the management users from Radius server, reachable via a routing-instance

[KB21085] Show KB Properties

---

SUMMARY:

Can I authenticate the management users from a Radius server, reachable via a routing-instance.

PROBLEM OR GOAL:

If the Radius server is reachable via a routing-instance, can I authenticate the management users from Radius?

SOLUTION:

Yes. The only requirement is that the inet.0 table should have at least one interface as its member. The default behavior of the device is that it uses the IP of the interface connected in inet.0 to use as its source. It cannot use the IP of the interface existing in VR as its source, even when you import the route of that interface.

root@juniper> show configuration interfaces ge-0/0/0 
unit 0 {
    family inet {
        address 10.10.10.10/24;
    }
}

Example:

All the interfaces are members of VR and Radius configuration is as follows: 

root@juniper>show system radius-server 
10.10.10.11 secret "$9$dkw4aUjHqfTdbJDkqzF9ApORSeK8db28LbY"; ## SECRET-DATA

If there is no IP as part of inet.0 then the device will display the following message:

sshd: sendmsg to 10.10.10.11(10.10.10.11).1812 failed: Can't assign requested address

These are the cases where the customer is running short of physical interfaces, and they do not want to assign any physical IP as part of inet.0 table; we need to have a minimum of one interface in inet.0

In such a scenario you can configure a Loopback IP in the inet.0. The SRX will take the IP of the lo0 interface to source the traffic. Make sure you import the interface route of inet.0 to the VR as well; otherwise, the device will drop the return traffic.

root@juniper# show interfaces lo0 
unit 1 {
    family inet {
        address 1.1.1.1/32;
    }
}

Example on how to import route: 

1. Configure the policy statement:
   
   
   policy-statement inettovr {
    from {
        instance master;
        route-filter 1.1.1.1/32 exact;
    }
    then accept;
}



2. Export this in inet.0:
   
   
   #set routing-options instance-export inettovr


3. Import this in VR testVR:
   
   
   set routing-instances testVR routing-options instance-import inettovr

To add more, if you use the lo0 IP just to initiate the traffic to Radius and you do not want to disclose this IP to the Radius server, then you can configure source-based NAT or interface-based NAT depending on requirement.

root@srx# show security nat source 
pool dummy {
    address {
        10.10.10.10/32;
    }
}
rule-set 1 {
    from routing-instance default;
    to interface <interface that connects to radius>;
    rule 2 {
        match {
            source-address 1.1.1.1/32;
            destination-address 10.10.10.11/32;
        }
        then {
            source-nat {
                pool {
                    dummy;
                }
            }
        } 
    }
}

Note: If you use the source as VR interface for UAC or sending syslog, you will encounter the same issue and you will have to resolve this by configuring a lo0 interface to initiate traffic.