Explain Cisco ETA to Me in a Way That Even My Neighbor Can Understand It
Cisco Encrypted Traffic Analytics (ETA) sounds just a little bit like magic the first time you hear about it. Cisco is basically proposing that when you turn on ETA, your network can (magically!) detect malicious traffic (ie, malware, trojans, ransomware, etc) inside encrypted flows. Further, Cisco proposes that ETA can differentiate legitimate encrypted traffic from malicious encrypted traffic.
Uhmm, how?
The immediate mental model that springs to mind is that of a web proxy that intercepts HTTP traffic. In order to intercept TLS-encrypted HTTPS traffic, there’s a complicated dance that has to happen around building a Certificate Authority, distributing the CA’s public certificate to every device that will connect through the proxy and then actually configuring the endpoints and/or network to push the HTTPS traffic to the proxy. This is often referred to as “man-in-the-middle” (MiTM) because the proxy actually breaks into the encrypted session between the client and the server. In the end, the proxy has access to the clear-text communication.
Is ETA using a similar method and breaking into the encrypted session?
In this article, I’m going to use an analogy to describe how ETA does what it does. Afterwards, you should feel more comfortable about how Continue reading
Meltdown, Spectre Create Data Center Dilemma
CPU flaws raise capacity and cost concerns for data center operators.
Automation Win: Cleanup Checkpoint Configuration
Gabriel Sulbaran decided to tackle a pretty challenging problem after watching my Ansible for Networking Engineers webinar: configuring older Checkpoint firewalls.
I had no idea what Ansible was when I started your webinar, and now I already did a really simple but helpful playbook to automate changing the timezone and adding and deleting admin users in a Checkpoint firewall using the command and raw modules. Had to use those modules because there are no official Checkpoint module for the version I'm working on (R77.30).
Did you automate something in your network? Let me know!
Explain Cisco ETA to Me in a Way That Even My Neighbor Can Understand It
Cisco Encrypted Traffic Analytics (ETA) sounds just a little bit like magic the first time you hear about it. Cisco is basically proposing that when you turn on ETA, your network can (magically!) detect malicious traffic (ie, malware, trojans, ransomware, etc) inside encrypted flows. Further, Cisco proposes that ETA can differentiate legitimate encrypted traffic from malicious encrypted traffic.
Uhmm, how?
The immediate mental model that springs to mind is that of a web proxy that intercepts HTTP traffic. In order to intercept TLS-encrypted HTTPS traffic, there's a complicated dance that has to happen around building a Certificate Authority, distributing the CA's public certificate to every device that will connect through the proxy and then actually configuring the endpoints and/or network to push the HTTPS traffic to the proxy. This is often referred to as “man-in-the-middle” (MiTM) because the proxy actually breaks into the encrypted session between the client and the server. In the end, the proxy has access to the clear-text communication.
Is ETA using a similar method and breaking into the encrypted session?
In this article, I'm going to use an analogy to describe how ETA does what it does. Afterwards, you should feel more comfortable about how Continue reading
It’s Hard To Change The Keys To The Internet And It Involves Destroying HSM’s
The root of the DNS tree has been using DNSSEC to protect the zone content since 2010. DNSSEC is simply a mechanism to provide cryptographic signatures alongside DNS records that can be validated, i.e. prove the answer is correct and has not been tampered with. To learn more about why DNSSEC is important, you can read our earlier blog post.
Today, the root zone is signed with a 2048 bit RSA “Trust Anchor” key. This key is used to sign further keys and is used to establish the Chain of trust that exists in the public DNS at the moment.
With access to this root Trust Anchor, it would be possible to re-sign the DNS tree and tamper with the content of DNS records on any domain, implementing a man-in-the-middle DNS attack… without causing recursors and resolvers to consider the data invalid.
As explained in this blog the key is very well protected with eye scanners and fingerprint readers and fire-breathing dragons patrolling the gate (okay, maybe not dragons). Operationally though, the root zone uses two different keys, the mentioned Trust Anchor key (that is called the Key Signing Key or KSK for Continue reading
Palo Alto Networks Stretches Security Posture Across Big 3 Public Clouds
The new features and additional cloud support aim to provide stronger security and simplified management.
The Network Architect
What’s the difference between a network architect and a network designer? What is network architecture and what is network design? These are questions I asked myself a couple of years ago and that I get asked frequently from others. The reason I wanted to write this post is to help people that want to be network architects understand what it is about. I also wanted to help people that are studying for the CCDE to get into the right mindset. If you go in to the practical with the mindset of a designer, you will fail. You need to think like an architect.
This post is not about if an architect is more advanced than a designer. They are both needed and often they are the same person. I work as both but my title is network architect. Some people use the title to indicate it’s a senior role although the role might not be heavily geared towards design.
So what does a network architect do? And how is that different from the network designer?
The network architect is the one that is fronting the business. What does this mean? The network architect is the one that is meeting stakeholders Continue reading
Top 5 From The Last 3 Months
In today’s day and age, content is king. It’s nearly impossible to keep up with the deluge of information, especially in the tech space where change is constant. We’re aware that the struggle is real. To keep you up-to-date on the latest and greatest in networking, we’ve compiled a round-up blog of the top posts from the past few months.
VMware Closes Acquisition of VeloCloud Networks
In December, VMware NSX completed its acquisition of VeloCloud Networks, bringing their industry-leading, cloud-delivered SD-WAN solution to our own growing software-based networking portfolio. The acquisition of VeloCloud significantly advances our strategy of enabling customers to run, manage, connect and secure any application on any cloud to any device. Learn all about the acquisition from SVP and GM, Networking and Security Business Unit Jeff Jennings.
VMware SDDC with NSX Expands to AWS
With VMware Cloud on AWS, customers can now leverage the best of both worlds – the leading compute, storage and network virtualization stack enabling enterprises for SDDC can now all be enabled with a click of a button on dedicated, elastic, bare-metal and highly available AWS infrastructure. Bonus: because it’s a managed service by VMware, customers can focus on the Continue reading
CallTower Deploys Bigleaf SD-WAN For Internal and Customer Benefit
It solved issues from connecting CallTower's services to the public Internet.
Orange Business Services Taps Cisco-Viptela for SD-WAN
It provides three ways for enterprises to use Cisco-Viptela.
QCT, Intel, and Red Hat Target Telco Central Offices
The vendors collaborated with ONF on a CORD-ready platform.
‘Pain Points’ Haunt Kubernetes Adoption
Large-scale enterprises need to feel more comfortable before adoption can boom.
Help Make the Internet a Safer Place for Everyone
Ash Ball, a young person in Australia, is working to end cyberbullying as part of the Project Rockit team. Ball, one of the Internet Society’s 25 Under 25 awardees, says he believes that it’s important to empower the younger generation to step in when they see someone being harassed online.
That message is especially important today, which is Safer Internet Day, a call to action to make the Internet safer for everyone.
Linda Patiño is another 25 Under 25 awardee leading the charge. “I was a victim of online harassment, receiving kidnapping and rape threats,” she says. Patiño’s work with the Colombia-based organization Colnodo uses ICTs to promote Internet safety and gender equality. “A tool can be so harmful. I enter this world [of activism] so other girls know they are not alone, that we are creating things to help them get through this. Even though these tools have serious impacts, we are doing good change” in the world.
We all have the power to help make the Internet a more welcoming and accessible place, but Ash Ball and Linda Patiño show that it’s a Continue reading
History of Networking: Paul Vixie on the Origins of DNS
Paul Vixie joins us on the History of Networking to talk about the spread of the DNS system—like a virus through the body network. All those radios in the background at a bit of history; Paul is an Amateur Radio Operator of many years, though, like me, he is not as active as he used to be in this realm.
Response: 99% of all ads permitted by Google ‘ad blocker’
The Google ad-blocker is that isn’t an ad blocker. Unsurprisingly.
OPNFV Certifies NFV Infrastructure Via Verification Program
It's not standards work so much as it is end-to-end testing.