Castle versus Cannon: It’s time to rethink security

In case you’re confused about the modern state of security, let me give you a short lesson.

Your network is pictured to the left. When I first started working on networks in the USAF we were just starting to build well designed DMZs, sort of a gate system for the modern network. “Firewalls” (a term I’m coming to dislike immensely), guard routers, VPN concentrators, and other systems were designed to keep your network from being “penetrated.” Standing at the front gate you’ll find a few folks wearing armor and carrying swords, responsible for letting only the right people inside the walls — policies, and perhaps even an IDS or two.

The world lived with castles for a long time — thousands of years, to be precise. In fact, the pride of the Roman Legion really wasn’t the short sword and battle formation, it was their ability to work in concrete. Certainly they had swords, but they could also build roads and walls, as evidenced by the Roman style fortifications dotting the entire world.

But we don’t live inside concrete walls any longer. Instead, our armies today move on small and large vehicles, defending territory through measure and countermeasure. They gather Continue reading

HL: On Being Different

The post HL: On Being Different appeared first on 'net work.

QOTW: Ignorance

Contrary to folk wisdom, ignorance is usually not blissful. Generally, it produces the very opposite of bliss. Just ask the frightened hiker lost in some remote mountain blizzard who never paid attention to his Boy Scout instruction; or ask the new employee who never did her math homework, frantically trying to figure out the correct change for customers; or, worse yet, ask the frustrated and annoyed patrons waiting in the ever-increasing line as this new employee bumbles one purchase after another.
Phillip Dow, Virtuous Minds

The post QOTW: Ignorance appeared first on 'net work.

Worth Reading: The Cryptech Project

The Snowden and subsequent revelations have called into question the integrity of some of the implementations of basic cryptographic functions and of the cryptographic devices used to secure applications and communications on the Internet. There are serious questions about algorithms and about implementations of those algorithms in software and particularly in hardware. … To fill this need the CrypTech project is developing an open-source hardware cryptographic engine design that meets the needs of high assurance Internet infrastructure systems that use cryptography. via the cryptech project

The post Worth Reading: The Cryptech Project appeared first on 'net work.

Buenos Aires Garden

The post Buenos Aires Garden appeared first on 'net work.

Worth Reading: Coordination is the Bottleneck

For last several decades, large-scale computing, whether for massive supercomputers or distributed enterprise systems, has been engaged in a never-ending game of whack-a-mole. Less colloquially, of chasing down one bottleneck bubble, only to find it revived elsewhere in the system with equal force. via thenextplatform

Continue reading

Worth Reading: Unlimited

“Unlimited” is a marketing lie. Whether it’s unlimited nights and weekends, unlimited mobile data, or unlimited storage, nothing is truly infinite. Companies want you to take advantage of their offerings to sell you something else. via networking nerd

The post Worth Reading: Unlimited appeared first on 'net work.

Worth Reading: Net Neutrality

The core conceit and fallacy of ‘neutrality’ has been to create a doctrine of fairness to packets at the local mechanism level. I hate to have to tell you this, but packets don’t have feelings. They don’t get irate when they are in a queue too long and other packets jump ahead of them. via circleid

Continue reading

HL: The Art of Network Architecture

The post HL: The Art of Network Architecture appeared first on 'net work.

Worth Reading: The ‘net is the real world

How much time have I wasted decrying the many hours a day a billion people waste on Facebook? How could I have been so wrong? How could I have not seen it? Facebook (FB) is the real world now. Our wives are all beautiful, our husbands brilliant, our children talented, our pets hilarious, and our home lives one impeccably framed picture after another. via fox business

The post Worth Reading: The ‘net is the real world appeared first on 'net work.

Reaction: Thoughts on Certifications

Should you stack up certifications, or should you learn something new? To put the question a different way: should Ethan get his CCDE? This week a couple of posts filtered through to my RSS feed that seem worth responding to on the certification front. Let’s begin with the second question first. This week, Ethan posted:

I’ve already achieved what I personally wanted to with the CCIE program. There is no doubt the certification changed my life, but I’m heading places now that the CCIE can’t take me. The CCDE program is still interesting to me, but I find the focus on service provider and very large enterprise technologies a disadvantage for me. Lots of work to get through the study, and I lack sufficient motivation to make a go of it right now. I still believe it’s a great program. Maybe I’ll get back to it someday.

I think the first part of Ethan’s argument is valid and correct: there comes a point you’ve wrung the value out of a certification (or certification path), and it’s time to move on. But how can you judge when that time has come? My thinking is based around this chart, taken from one Continue reading

Worth Reading: Better than Reno

Critically, today’s Internet assumes that most of the network’s resources are devoted to passing TCP traffic, and it also assumes that the flow control algorithms used by these TCP sessions all behave in approximately similar ways. If the switching and transmission resources of the network are seen as a common resource, then the assumption about the uniform behaviour of TCP sessions implies that these end-to-end transport sessions will behave similarly under contention. via circle id

The post Worth Reading: Better than Reno appeared first on 'net work.

Worth Reading: Alphabet and Anti-trust

What we have learned in the last two months is that Google is much more worried than it says about the risks it faces from a variety of real structural changes it may have to make in its core business overseas in the months and years ahead — where the vast majority of Google’s users are, and from where over 50% of its revenues come. Google apparently foresees a coming brand winter of antitrust/privacy structural enforcement actions hanging over Google around the world. via somewhat reasonable

The post Worth Reading: Alphabet and Anti-trust appeared first on 'net work.

Highlight: The Pie Problem

The post Highlight: The Pie Problem appeared first on 'net work.

IETF Yokohama Days 4 & 5

Posted on Packet Pushers here. This is my last post in the series; next week, back to regular blogging.

The post IETF Yokohama Days 4 & 5 appeared first on 'net work.

Worth Reading: Optical Memory

Previous experiments have shown that light-based memory chips are possible, but the problem is with data storage itself, as optical memory can be “volatile,” in that it usually requires continual power to store data. Turn off the power, and you lose your data. via the new stack

The post Worth Reading: Optical Memory appeared first on 'net work.

Worth Reading: IETF Yokohama Day 3

Post on Packet Pushers here.

The post Worth Reading: IETF Yokohama Day 3 appeared first on 'net work.

Worth Reading: Freedom on the ‘net

Out of the 3 billion users on the Internet, how many can trust that their online communications will not be monitored or censored? How many feel safe that they can express their opinions online and will not be arrested for their ideas? How many feel confident in communicating anonymously online? via freedom house

The post Worth Reading: Freedom on the ‘net appeared first on 'net work.

Reaction: DNS versus anycast

This post raises an obvious question: are techniques using DNS to “steer” traffic (such as IP geolocation) sufficient, or do you need to consider using anycast as LinkedIn did? The short answer is that DNS steering works well and is only getting better. via circleid

Matt’s article is well worth reading, but once you’re finished reading it —

It’s well worth remembering when dealing with different load balancing solutions (like most other things in life) that the right answer is, “it depends.” In this case, do you need TCP anycast, or can you use DNS based load sharing? It depends not only on how effective each one is, but also what sort of application you’re working with. Many apps designed for smart phones don’t use DNS at all, so some form of anycast or appliance based solution are all you have. Between these two, anycast is often just as viable a solution if your network is designed to handle it correctly.

In the end, all three solutions — anycast, DNS, and appliance based — are viable options. Which one you should choose just all depends.

The post Reaction: DNS versus anycast appeared first on 'net work.

Highlight: Practical BGP

The post Highlight: Practical BGP appeared first on 'net work.